13 files changed, 1637 insertions, 0 deletions
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
new file mode 100644
index 000000000..1f7f27617
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FederatedAuthConstants {
+
+	public static final String MODULE_NAME_FOR_LOGGING = "federated IDP";
+	
+	public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; 
+	
+	public static final String ENDPOINT_POST = "/sp/federated/post";
+	public static final String ENDPOINT_REDIRECT = "/sp/federated/redirect";
+	public static final String ENDPOINT_METADATA = "/sp/federated/metadata";
+
+	public static final String CONFIG_PROPS_PREFIX = "modules.federatedAuth.";	
+	public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";
+	public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";
+	public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password";
+	public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.alias";
+	public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.password";
+	public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias";
+	public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
+	public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
+	
+	public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4";
+	public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3";
+	
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java
new file mode 100644
index 000000000..49275c6eb
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth;
+
+import at.gv.egovernment.moa.id.auth.modules.AuthModule;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FederatedAuthenticationModuleImpl implements AuthModule {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority()
+	 */
+	@Override
+	public int getPriority() {
+		// TODO Auto-generated method stub
+		return 0;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
+	 */
+	@Override
+	public String selectProcess(ExecutionContext context) {
+		//select interfederation authentication if PERFORM_INTERFEDERATION_AUTH flag is set
+		Object performfedAuthObj = context.get(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+		if (performfedAuthObj != null && performfedAuthObj instanceof Boolean) {
+			if ((boolean) performfedAuthObj)
+				return "SSOfederationAuthentication";
+			
+		}
+		
+		return null;		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+	 */
+	@Override
+	public String[] getProcessDefinitions() {
+		return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml" };
+	}
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationSpringResourceProvider.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationSpringResourceProvider.java
new file mode 100644
index 000000000..91d56ebed
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationSpringResourceProvider.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FederatedAuthenticationSpringResourceProvider implements SpringResourceProvider {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+	 */
+	@Override
+	public Resource[] getResourcesToLoad() {
+		ClassPathResource federationAuthConfig = new ClassPathResource("/moaid_federated_auth.beans.xml", FederatedAuthenticationSpringResourceProvider.class);					
+		
+		return new Resource[] {federationAuthConfig};
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+	 */
+	@Override
+	public String[] getPackagesToScan() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+	 */
+	@Override
+	public String getName() {
+		return "MOA-ID Auth-module 'SSO Interfederation'";
+	}
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
new file mode 100644
index 000000000..c3d5e8032
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
@@ -0,0 +1,307 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.config;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.xml.security.credential.Credential;
+
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderConfiguration {
+
+	
+	private static final int VALIDUNTIL_IN_HOURS = 24;
+	
+	private String authURL;
+	private FederatedAuthCredentialProvider credentialProvider;
+	
+	public FederatedAuthMetadataConfiguration(String authURL, FederatedAuthCredentialProvider credentialProvider) {
+		this.authURL = authURL;
+		this.credentialProvider = credentialProvider;
+				
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil()
+	 */
+	@Override
+	public int getMetadataValidUntil() {
+		return FederatedAuthConstants.METADATA_VALIDUNTIL_IN_HOURS;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement()
+	 */
+	@Override
+	public boolean buildEntitiesDescriptorAsRootElement() {
+		return false;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor()
+	 */
+	@Override
+	public boolean buildIDPSSODescriptor() {
+		return false;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor()
+	 */
+	@Override
+	public boolean buildSPSSODescriptor() {
+		return true;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix()
+	 */
+	@Override
+	public String getEntityID() {
+		return authURL + FederatedAuthConstants.ENDPOINT_METADATA;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName()
+	 */
+	@Override
+	public String getEntityFriendlyName() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation()
+	 */
+	@Override
+	public List<ContactPerson> getContactPersonInformation() {
+		try {
+			return PVPConfiguration.getInstance().getIDPContacts();
+			
+		} catch (ConfigurationException e) {
+			Logger.warn("Can not load Metadata entry: Contect Person", e);
+			return null;
+			
+		}
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation()
+	 */
+	@Override
+	public Organization getOrgansiationInformation() {
+		try {
+			return PVPConfiguration.getInstance().getIDPOrganisation();
+			
+		} catch (ConfigurationException e) {
+			Logger.warn("Can not load Metadata entry: Organisation", e);
+			return null;
+			
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials()
+	 */
+	@Override
+	public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException {
+		return credentialProvider.getIDPMetaDataSigningCredential();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials()
+	 */
+	@Override
+	public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException {
+		return credentialProvider.getIDPAssertionSigningCredential();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials()
+	 */
+	@Override
+	public Credential getEncryptionCredentials() throws CredentialsNotAvailableException {
+		return credentialProvider.getIDPAssertionEncryptionCredential();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL()
+	 */
+	@Override
+	public String getIDPWebSSOPostBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL()
+	 */
+	@Override
+	public String getIDPWebSSORedirectBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL()
+	 */
+	@Override
+	public String getIDPSLOPostBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL()
+	 */
+	@Override
+	public String getIDPSLORedirectBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL()
+	 */
+	@Override
+	public String getSPAssertionConsumerServicePostBindingURL() {
+		return authURL + FederatedAuthConstants.ENDPOINT_POST;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL()
+	 */
+	@Override
+	public String getSPAssertionConsumerServiceRedirectBindingURL() {
+		return authURL + FederatedAuthConstants.ENDPOINT_REDIRECT;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL()
+	 */
+	@Override
+	public String getSPSLOPostBindingURL() {
+		return authURL + FederatedAuthConstants.ENDPOINT_POST;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL()
+	 */
+	@Override
+	public String getSPSLORedirectBindingURL() {
+		return authURL + FederatedAuthConstants.ENDPOINT_REDIRECT;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL()
+	 */
+	@Override
+	public String getSPSLOSOAPBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes()
+	 */
+	@Override
+	public List<Attribute> getIDPPossibleAttributes() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes()
+	 */
+	@Override
+	public List<String> getIDPPossibleNameITTypes() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes()
+	 */
+	@Override
+	public List<RequestedAttribute> getSPRequiredAttributes() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes()
+	 */
+	@Override
+	public List<String> getSPAllowedNameITTypes() {
+		return Arrays.asList(NameIDType.PERSISTENT, 
+							 NameIDType.TRANSIENT,
+							 NameIDType.UNSPECIFIED);
+		
+	}
+
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+	 */
+	@Override
+	public String getSPNameForLogging() {
+		return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING;
+	}
+
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned()
+	 */
+	@Override
+	public boolean wantAssertionSigned() {
+		return false;
+	}
+
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned()
+	 */
+	@Override
+	public boolean wantAuthnRequestSigned() {
+		return true;
+	}
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
new file mode 100644
index 000000000..000590923
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -0,0 +1,211 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.config;
+
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.security.credential.Credential;
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation {
+
+	private boolean isPassive;
+	private String SPEntityID;
+	private String QAA_Level;
+	private EntityDescriptor idpEntity;
+	private Credential signCred;
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest()
+	 */
+	@Override
+	public Boolean isPassivRequest() {
+		return this.isPassive;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId()
+	 */
+	@Override
+	public Integer getAssertionConsumerServiceId() {
+		return 0;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID()
+	 */
+	@Override
+	public String getSPEntityID() {
+		return this.SPEntityID;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+	 */
+	@Override
+	public String getNameIDPolicyFormat() {
+		return NameID.TRANSIENT;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+	 */
+	@Override
+	public boolean getNameIDPolicyAllowCreation() {
+		return true;
+	}
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef()
+	 */
+	@Override
+	public String getAuthnContextClassRef() {
+		return this.QAA_Level;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison()
+	 */
+	@Override
+	public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() {
+		return AuthnContextComparisonTypeEnumeration.MINIMUM;
+	}
+
+	/**
+	 * @param isPassive the isPassive to set
+	 */
+	public void setPassive(boolean isPassive) {
+		this.isPassive = isPassive;
+	}
+
+	/**
+	 * @param sPEntityID the sPEntityID to set
+	 */
+	public void setSPEntityID(String sPEntityID) {
+		SPEntityID = sPEntityID;
+	}
+
+	/**
+	 * @param qAA_Level the qAA_Level to set
+	 */
+	public void setQAA_Level(String qAA_Level) {
+		QAA_Level = qAA_Level;
+	}
+
+	/**
+	 * @param idpEntity the idpEntity to set
+	 */
+	public void setIdpEntity(EntityDescriptor idpEntity) {
+		this.idpEntity = idpEntity;
+	}
+
+	/**
+	 * @param signCred the signCred to set
+	 */
+	public void setSignCred(Credential signCred) {
+		this.signCred = signCred;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
+	 */
+	@Override
+	public Credential getAuthnRequestSigningCredential() {
+		return this.signCred;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor()
+	 */
+	@Override
+	public EntityDescriptor getIDPEntityDescriptor() {
+		return this.idpEntity;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID()
+	 */
+	@Override
+	public String getSubjectNameID() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging()
+	 */
+	@Override
+	public String getSPNameForLogging() {
+		return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat()
+	 */
+	@Override
+	public String getSubjectNameIDFormat() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+	 */
+	@Override
+	public String getRequestID() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+	 */
+	@Override
+	public String getSubjectNameIDQualifier() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode()
+	 */
+	@Override
+	public String getSubjectConformationMethode() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate()
+	 */
+	@Override
+	public Element getSubjectConformationDate() {
+		return null;
+	}
+
+	
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
new file mode 100644
index 000000000..98240a636
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthMetadataConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.auth.servlet.AbstractController;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class FederatedAuthMetadataController extends AbstractController {
+	
+	@Autowired PVPMetadataBuilder metadatabuilder;
+	@Autowired AuthConfiguration authConfig;
+	@Autowired FederatedAuthCredentialProvider credentialProvider; 
+	
+	public FederatedAuthMetadataController() {
+		super();
+		Logger.debug("Registering servlet " + getClass().getName() 
+				+ " with mappings '" + FederatedAuthConstants.ENDPOINT_METADATA 
+				+ "'.");
+		
+	}
+	
+	@RequestMapping(value = "/sp/federated/metadata", 
+					method = {RequestMethod.GET})
+	public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+		//check PublicURL prefix
+		try {
+			String authURL = HTTPUtils.extractAuthURLFromRequest(req);		
+			if (!authConfig.getPublicURLPrefix().contains(authURL)) {		
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL");
+				return;
+				
+			} else {
+				//initialize metadata builder configuration
+				IPVPMetadataBuilderConfiguration metadataConfig = 
+						new FederatedAuthMetadataConfiguration(authURL, credentialProvider);
+				
+				//build metadata
+				String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
+				
+				//write response
+				resp.setContentType("text/xml");
+				resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8"));
+				resp.getOutputStream().close();
+
+			}
+			
+		} catch (Exception e) {
+			Logger.warn("Build federated-authentication PVP metadata FAILED.", e);
+			handleErrorNoRedirect(e, req, resp, false);
+			
+		}
+		
+	}
+		
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java
new file mode 100644
index 000000000..431ed5ef1
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalController;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class FederatedAuthSignalController extends AbstractProcessEngineSignalController {
+
+	public FederatedAuthSignalController() {
+		super();
+		Logger.debug("Registering servlet " + getClass().getName() 
+				+ " with mappings '" + FederatedAuthConstants.ENDPOINT_POST 
+				+ "' and '" + FederatedAuthConstants.ENDPOINT_REDIRECT + "'.");
+		
+	}
+	
+	@RequestMapping(value = {	"/sp/federated/post", 
+			 					"/sp/federated/redirect"
+							}, 
+					method = {RequestMethod.POST, RequestMethod.GET})
+	public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+		signalProcessManagement(req, resp);
+		
+	}
+	
+	public String getPendingRequestId(HttpServletRequest request) {
+		return StringEscapeUtils.escapeHtml4(request.getParameter("RelayState"));
+		
+	}
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
new file mode 100644
index 000000000..d581e7e75
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
@@ -0,0 +1,219 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
+
+import java.lang.reflect.InvocationTargetException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthnRequestBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("CreateFederatedAuthnRequestTask")
+public class CreateAuthnRequestTask extends AbstractAuthServletTask {
+
+	@Autowired PVPAuthnRequestBuilder authnReqBuilder;
+	@Autowired FederatedAuthCredentialProvider credential;
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		try{
+			// get IDP entityID
+			String idpEntityID = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class);
+					
+			if (MiscUtil.isEmpty(idpEntityID)) {
+				Logger.info("Interfederation not possible -> not inderfederation IDP EntityID found!");
+				throw new TaskExecutionException(pendingReq, "Interfederation not possible", new MOAIDException("No inderfederation-IDP EntityID found.", null));
+				
+			}
+			
+			//load IDP configuration from MOA-ID Configuration
+			IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(idpEntityID);
+			//validate IDP
+			if (!idpConfig.isInderfederationIDP() || !idpConfig.isInboundSSOInterfederationAllowed()) {
+				Logger.info("Requested interfederation IDP " + idpEntityID + " is not valid for interfederation.");
+				Logger.debug("isInderfederationIDP:" + String.valueOf(idpConfig.isInderfederationIDP())
+					+ " isInboundSSOAllowed:" + String.valueOf(idpConfig.isInboundSSOInterfederationAllowed()));
+			
+				handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID}); 
+		
+				return;
+				
+			}
+			
+			//load IDP SAML2 entitydescriptor
+			EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
+					getEntityDescriptor(idpEntityID);			
+			if (idpEntity == null) {
+				Logger.warn("Requested IDP " + idpEntityID 
+						+ " has no valid metadata or metadata is not found");
+				
+				handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID});		
+				return;
+				
+			}
+			
+			//setup AuthnRequestBuilder configuration
+			FederatedAuthnRequestBuilderConfiguration authnReqConfig = new FederatedAuthnRequestBuilderConfiguration();
+			authnReqConfig.setIdpEntity(idpEntity);
+			authnReqConfig.setPassive(idpConfig.isPassivRequestUsedForInterfederation());
+			authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
+			authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA);			
+			authnReqConfig.setQAA_Level(evaluateRequiredQAALevel());
+						
+			//build and transmit AuthnRequest
+			authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
+			
+		} catch (MOAIDException | MetadataProviderException e) {
+			throw new TaskExecutionException(pendingReq, "Build PVP2.1 AuthnRequest for SSO inderfederation FAILED.", e);
+
+		} catch (MessageEncodingException | NoSuchAlgorithmException  | SecurityException e) {
+			Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}
+	}
+	
+	/**
+	 * @param executionContext
+	 * @param idpConfig
+	 * @param message 
+	 * @param objects 
+	 * @throws AuthnRequestBuildException 
+	 */
+	private void handleAuthnRequestBuildProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, String msgCode, Object[] objects) throws AuthnRequestBuildException {
+
+		if (idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
+			Logger.info("Switch to local authentication on this IDP ... ");
+		
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
+		
+			executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+			
+		} else {
+			throw new AuthnRequestBuildException(msgCode, objects);
+			
+		}
+		
+	}
+	
+	private String evaluateRequiredQAALevel() {
+		IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration();
+				
+		//check if STORK protocol module is in ClassPath
+		Object storkRequst = null;
+		Integer storkSecClass = null;
+		try {
+			storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance();
+			if (storkRequst != null && 
+					pendingReq.getClass().isInstance(storkRequst)) {
+				Object storkAuthnRequest = pendingReq.getClass().getMethod("getStorkAuthnRequest", null).invoke(pendingReq, null);
+				storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null);
+				
+			}
+									
+		} catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
+			
+			
+		}
+				
+		if (sp != null && sp.isSTORKPVPGateway()){
+			//use PVP SecClass instead of STORK QAA level
+			String secClass = null;
+			if (storkRequst != null && 
+					pendingReq.getClass().isInstance(storkRequst)) {
+				
+				try {									
+					secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
+							PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass));
+				
+				} catch (Exception e) {
+					Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+
+				}							
+			}
+			
+			if (MiscUtil.isNotEmpty(secClass))
+				return secClass;
+			else
+				return FederatedAuthConstants.CONFIG_DEFAULT_QAA_SECCLASS_LEVEL;
+								
+		} else {
+			if (storkRequst != null && pendingReq.getClass().isInstance(storkRequst)) {
+				//use requested QAA level from STORK request
+				try {
+					String qaaLevel = PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass);
+					Logger.debug("Use STORK-QAA level " + qaaLevel + " from STORK request");
+					return qaaLevel;
+					
+					
+				} catch (Exception e) {
+					Logger.warn("Read STORK-QAA level FAILED with an exception.", e);
+					
+				}				
+			}			
+			Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4");
+			return FederatedAuthConstants.CONFIG_DEFAULT_QAA_STORK_LEVEL;
+			
+		}		
+	}
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
new file mode 100644
index 000000000..1c3134b77
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -0,0 +1,367 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.moduls.SSOManager;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ReceiveFederatedAuthnResponseTask")
+public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
+
+	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
+	@Autowired private FederatedAuthCredentialProvider credentialProvider;
+	@Autowired private SSOManager ssoManager;
+	@Autowired private AttributQueryBuilder attributQueryBuilder;
+	@Autowired private AuthenticationDataBuilder authDataBuilder;
+	
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {		
+		InboundMessage msg = null;
+		
+		try {
+			
+			IDecoder decoder = null;
+			MOAURICompare comperator = null;
+			//select Response Binding
+			if (request.getMethod().equalsIgnoreCase("POST")) {
+				decoder = new PostBinding();
+				comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST);
+				Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding.");
+				
+			}  else if (request.getMethod().equalsIgnoreCase("GET")) {
+				decoder = new RedirectBinding();
+				comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT);
+				Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding.");
+				
+			} else {
+				Logger.warn("Receive PVP Response, but Binding (" 
+						+ request.getMethod() + ") is not supported.");
+				throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
+				
+			}
+			
+			//decode PVP response object
+			msg = (InboundMessage) decoder.decode(
+					request, response, MOAMetadataProvider.getInstance(), true,
+					comperator);
+			 
+			if (MiscUtil.isEmpty(msg.getEntityID())) {
+				throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
+				
+			}
+
+			//validate response signature
+			if(!msg.isVerified()) {
+				samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));
+				msg.setVerified(true);
+								
+			}
+			
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE);
+			
+			//validate assertion
+			MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
+			
+			//load IDP and SP configuration
+			IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID());
+			IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration();
+			
+			//check if response Entity is valid
+			if (!idpConfig.isInderfederationIDP()) {
+				Logger.warn("Response Issuer is not a federated IDP. Stopping federated authentication ...");
+				throw new AuthnResponseValidationException("sp.pvp2.08", 
+						new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING,
+								msg.getEntityID()});
+				
+			}
+			
+			//load MOASession from database
+			defaultTaskInitialization(request, executionContext);
+			
+			//initialize Attribute extractor
+			AssertionAttributeExtractor extractor = 
+					new AssertionAttributeExtractor((Response) processedMsg.getResponse());
+			
+			//check if SP is also a federated IDP
+			if (spConfig.isInderfederationIDP()) {
+				//SP is a federated IDP  --> answer only with nameID and wait for attribute-Query
+				pendingReq.setGenericDataToSession(
+						PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true);				
+				pendingReq.setGenericDataToSession(
+						PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID());
+				pendingReq.setGenericDataToSession(
+						PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel());
+
+				authenticatedSessionStorage.
+				addFederatedSessionInformation(pendingReq, 
+						idpConfig.getPublicURLPrefix(), extractor);
+				
+			} else {
+				//SP is real Service-Provider  --> check attributes in response 
+				// and start Attribute-Query if required 
+												
+				getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), 
+						idpConfig);	
+
+				//store federatedIDP to MOASession
+				if (idpConfig.isInterfederationSSOStorageAllowed())
+					authenticatedSessionStorage.
+						addFederatedSessionInformation(pendingReq, 
+								idpConfig.getPublicURLPrefix(), extractor);
+				
+				//update MOASession			
+				authenticatedSessionStorage.storeSession(moasession);
+
+			}
+
+			//store valid assertion into pending-request
+			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
+			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID());
+			
+			//store pending-request
+			requestStoreage.storePendingRequest(pendingReq);
+			
+			//write log entries
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);				
+			Logger.info("Receive a valid assertion from IDP " + msg.getEntityID()); 
+											
+		} catch (MessageDecodingException | SecurityException e) {
+			String samlRequest = request.getParameter("SAMLRequest");			
+			Logger.warn("Receive INVALID PVP Response from federated IDP: " + samlRequest, e);
+			throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP", e);
+
+		} catch (IOException | MarshallingException | TransformerException e) {
+			Logger.warn("Processing PVP response from federated IDP FAILED.", e);
+			throw new TaskExecutionException(pendingReq, "Processing PVP response from federated IDP FAILED.", e);
+			
+		} catch (CredentialsNotAvailableException e) {
+			Logger.error("PVP response decrytion FAILED. No credential found.", e);
+			throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.", e);
+
+		} catch (AssertionValidationExeption | AuthnResponseValidationException e) {
+			Logger.info("PVP response validation FAILED. Msg:" + e.getMessage());			
+			if (msg != null) {
+				IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID());
+				
+				//remove federated IDP from SSO session if exists
+				ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request);
+				
+				//select next step
+				handleAuthnResponseValidationProblem(executionContext, idpConfig, e);
+								
+			} else
+				throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+									
+		} catch (Exception e) {
+			
+			
+		}
+
+	}
+	
+	private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig, 
+			IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{
+		
+		try {
+			Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
+			Collection<String> requestedAttr = pendingReq.getRequestedAttributes();
+						
+			//check if SAML2 Assertion contains a minimal set of attributes
+			if (!extractor.containsAllRequiredAttributes()) {
+				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");				
+				
+				//build attributQuery request
+				List<Attribute> attributs = 
+						attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
+			
+				//request IDP to get additional attributes
+				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig);
+								
+			} else {
+				Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
+				
+			}														
+			
+			//check if all attributes are include
+			if (!extractor.containsAllRequiredAttributes(
+					pendingReq.getRequestedAttributes())) {
+				Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
+				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
+				
+			}
+			
+			//copy attributes into MOASession
+			Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+			for (String el : includedAttrNames) {
+				moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
+				Logger.debug("Add PVP-attribute " + el + " into MOASession");
+				
+			}
+			
+			//set validTo from this federated IDP response
+			moasession.setGenericDataToSession(
+					AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO, 
+					extractor.getAssertionNotOnOrAfter());
+									
+		} catch (AttributQueryException e) {
+			throw new BuildException("builder.06", null, e);
+			
+		} catch (SessionDataStorageException e) {
+			throw new BuildException("builder.06", null, e);
+			
+		} catch (AssertionValidationExeption e) {
+			throw new BuildException("builder.06", null, e);
+			
+		} catch (AssertionAttributeExtractorExeption e) {
+			throw new BuildException("builder.06", null, e);
+			
+		} catch (MOAIDException e) {
+			throw new BuildException("builder.06", null, e);
+			
+		}
+	}
+	
+	/**
+	 * @param executionContext
+	 * @param idpConfig
+	 * @param message 
+	 * @param objects 
+	 * @throws TaskExecutionException 
+	 * @throws Throwable 
+	 */
+	private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, Throwable e) throws TaskExecutionException {
+
+		if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
+			Logger.info("Switch to local authentication on this IDP ... ");
+		
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
+		
+			executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+			
+		} else {
+			throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+			
+		}
+		
+	}
+	
+	/**
+	 * PreProcess AuthResponse and Assertion 
+	 * @param msg
+	 * @throws TransformerException 
+	 * @throws MarshallingException 
+	 * @throws IOException 
+	 * @throws CredentialsNotAvailableException 
+	 * @throws AssertionValidationExeption 
+	 * @throws AuthnResponseValidationException 
+	 */
+	private MOAResponse preProcessAuthResponse(MOAResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
+		Logger.debug("Start PVP21 assertion processing... ");
+		Response samlResp = (Response) msg.getResponse();
+
+		// check SAML2 response status-code
+		if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {				
+			//validate PVP 2.1 assertion
+			samlVerificationEngine.validateAssertion(samlResp, true, 
+					credentialProvider.getIDPAssertionEncryptionCredential(),
+					pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA,
+					FederatedAuthConstants.MODULE_NAME_FOR_LOGGING);
+
+			msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+			return msg;
+				
+		} else {
+			Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() 
+				+ " from federated IDP.");
+			throw new AuthnResponseValidationException("sp.pvp2.05", 
+					new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
+					
+		}
+								
+	}	
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java
new file mode 100644
index 000000000..aac253083
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java
@@ -0,0 +1,123 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.utils;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider;
+import at.gv.egovernment.moa.util.FileUtils;
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("FederatedAuthCredentialProvider")
+public class FederatedAuthCredentialProvider extends AbstractCredentialProvider {
+
+	@Autowired AuthConfiguration authConfig;
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath()
+	 */
+	@Override
+	public String getKeyStoreFilePath() {
+		return FileUtils.makeAbsoluteURL(
+					authConfig.getBasicMOAIDConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTORE), 
+					authConfig.getRootConfigFileDir());
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword()
+	 */
+	@Override
+	public String getKeyStorePassword() {
+		return authConfig.getBasicMOAIDConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim();
+
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias()
+	 */
+	@Override
+	public String getMetadataKeyAlias() {
+		return authConfig.getBasicMOAIDConfiguration(
+				FederatedAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword()
+	 */
+	@Override
+	public String getMetadataKeyPassword() {
+		return authConfig.getBasicMOAIDConfiguration(
+				FederatedAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias()
+	 */
+	@Override
+	public String getSignatureKeyAlias() {
+		return authConfig.getBasicMOAIDConfiguration(
+				FederatedAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword()
+	 */
+	@Override
+	public String getSignatureKeyPassword() {
+		return authConfig.getBasicMOAIDConfiguration(
+				FederatedAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias()
+	 */
+	@Override
+	public String getEncryptionKeyAlias() {
+		return authConfig.getBasicMOAIDConfiguration(
+				FederatedAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword()
+	 */
+	@Override
+	public String getEncryptionKeyPassword() {
+		return authConfig.getBasicMOAIDConfiguration(
+				FederatedAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName()
+	 */
+	@Override
+	public String getFriendlyName() {
+		return "FederatedAuth-SP";
+	}
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..28e4ae944
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthenticationSpringResourceProvider
+\ No newline at end of file
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml
new file mode 100644
index 000000000..c5c491ff8
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pd:ProcessDefinition id="SSOfederationAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+
+
+	<pd:Task id="createInterfederationAuthnRequest" 	class="CreateFederatedAuthnRequestTask" />
+	<pd:Task id="receiveInterfederationAuthnResponse"	class="ReceiveFederatedAuthnResponseTask" async="true" />
+	<pd:Task id="finalizeAuthentication" 							class="FinalizeAuthenticationTask" />	
+	<pd:Task id="restartAuthProzessManagement"  			class="RestartAuthProzessManagement"/>
+
+	<pd:StartEvent id="start" />	
+	
+	<pd:Transition from="start"	to="createInterfederationAuthnRequest" />	
+	
+	<!-- Switch to local authentication -->
+	<pd:Transition from="createInterfederationAuthnRequest" 	to="restartAuthProzessManagement" conditionExpression="ctx['requireLocalAuthentication']"/>
+	<pd:Transition from="receiveInterfederationAuthnResponse" to="restartAuthProzessManagement" conditionExpression="ctx['requireLocalAuthentication']"/>
+	<pd:Transition from="restartAuthProzessManagement"    		to="end" />
+	
+	<!-- Perform federated authentication -->
+	<pd:Transition from="createInterfederationAuthnRequest" 	to="receiveInterfederationAuthnResponse"/>
+	<pd:Transition from="receiveInterfederationAuthnResponse" to="finalizeAuthentication"/>	
+	<pd:Transition from="finalizeAuthentication"    					to="end" />
+			
+	<pd:EndEvent id="end" />
+
+</pd:ProcessDefinition>
+\ No newline at end of file
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml
new file mode 100644
index 000000000..4933504f0
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:aop="http://www.springframework.org/schema/aop"
+	xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+ 
+
+<!-- Federated authentication services -->
+	<bean id="FederatedAuthCredentialProvider"
+	      class="at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider"/>
+
+	<bean	id="FederatedAuthMetadataController"
+				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthMetadataController"/>
+				
+	<bean	id="FederatedAuthModule"
+				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthenticationModuleImpl"/>				
+	
+	<bean	id="FederatedAuthSignalController"
+				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthSignalController"/>
+	
+	
+<!-- Federated Authentication Process Tasks -->
+	<bean id="CreateFederatedAuthnRequestTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.CreateAuthnRequestTask"
+				scope="prototype"/>
+				
+	<bean id="ReceiveFederatedAuthnResponseTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.ReceiveAuthnResponseTask"
+				scope="prototype"/>
+																								
+</beans>
+\ No newline at end of file