From 5acd1d23f3702d8899f531e823da68cd9fccaaa4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 2 Jul 2018 18:08:04 +0200
Subject: update auth. module for central eIDAS node connection

---
 id/server/auth-edu/pom.xml                         |   4 +
 id/server/auth-final/pom.xml                       |   5 +
 .../pvp2x/validation/AuthnRequestValidator.java    |  78 +++++
 .../main/resources/moaid.authentication.beans.xml  |   3 +
 .../moa-id-module-AT_eIDAS_connector/pom.xml       |  59 ++++
 .../EidasCentralAuthConstants.java                 |  93 ++++++
 .../EidasCentralAuthModuleImpl.java                |  92 ++++++
 .../EidasCentralAuthSpringResourceProvider.java    |  63 ++++
 .../EidasCentralAuthMetadataConfiguration.java     | 355 +++++++++++++++++++++
 ...idasCentralAuthRequestBuilderConfiguration.java | 262 +++++++++++++++
 .../EidasCentralAuthMetadataController.java        | 133 ++++++++
 .../EidasCentralAuthSignalController.java          |  67 ++++
 .../tasks/CreateAuthnRequestTask.java              | 164 ++++++++++
 .../tasks/ReceiveAuthnResponseTask.java            | 272 ++++++++++++++++
 .../utils/EidasCentralAuthCredentialProvider.java  | 124 +++++++
 .../utils/EidasCentralAuthMetadataProvider.java    | 345 ++++++++++++++++++++
 ...iz.components.spring.api.SpringResourceProvider |   1 +
 .../resources/eIDAS_central_node_auth.process.xml  |  17 +
 .../moaid_eIDAS_central_node_auth.beans.xml        |  41 +++
 .../eidas/attributes/builder/eIDASMetadata.java    |   5 +
 .../ELGAMandatesRequestBuilderConfiguration.java   |  13 +-
 .../FederatedAuthnRequestBuilderConfiguration.java |  13 +-
 id/server/modules/pom.xml                          |   1 +
 pom.xml                                            |   6 +
 24 files changed, 2214 insertions(+), 2 deletions(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml
 create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
 create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java

diff --git a/id/server/auth-edu/pom.xml b/id/server/auth-edu/pom.xml
index 455278edd..8f4ab662e 100644
--- a/id/server/auth-edu/pom.xml
+++ b/id/server/auth-edu/pom.xml
@@ -213,6 +213,10 @@
 		 	<artifactId>moa-id-module-sl20_authentication</artifactId>
 		 </dependency>		
 
+		<dependency>
+			<groupId>MOA.id.server.modules</groupId>
+			<artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+		</dependency> 
 
 <!-- 	
 		<dependency>
diff --git a/id/server/auth-final/pom.xml b/id/server/auth-final/pom.xml
index 4f5f219a1..15208bb47 100644
--- a/id/server/auth-final/pom.xml
+++ b/id/server/auth-final/pom.xml
@@ -165,6 +165,11 @@
 			<artifactId>moa-id-modul-citizencard_authentication</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>MOA.id.server.modules</groupId>
+			<artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+		</dependency>
+
 			<!--dependency>
 				<groupId>MOA.id.server.modules</groupId>
 				<artifactId>moa-id-modules-federated_authentication</artifactId>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
new file mode 100644
index 000000000..b42a1de28
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
@@ -0,0 +1,78 @@
+/*******************************************************************************
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.validation;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
+import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator;
+import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes;
+import at.gv.egovernment.moa.logging.Logger;
+
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("MOAAuthnRequestValidator")
+public class AuthnRequestValidator implements IAuthnRequestValidator {
+	
+	public void validate(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authnReq, SPSSODescriptor spSSODescriptor) throws AuthnRequestValidatorException{
+
+		//validate NameIDPolicy
+		NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
+		if (nameIDPolicy != null) {
+			String nameIDFormat = nameIDPolicy.getFormat();
+			if (nameIDFormat != null) {
+				if ( !(NameID.TRANSIENT.equals(nameIDFormat) ||
+						NameID.PERSISTENT.equals(nameIDFormat) ||
+						NameID.UNSPECIFIED.equals(nameIDFormat)) ) {
+				 
+					throw new NameIDFormatNotSupportedException(nameIDFormat);
+					
+				}
+				
+			} else
+				Logger.trace("Find NameIDPolicy, but NameIDFormat is 'null'");							
+		} else
+			Logger.trace("AuthnRequest includes no 'NameIDPolicy'");
+
+		//select AttributeConsumingService from request
+		AttributeConsumingService attributeConsumer = null;		
+		Integer aIdx = authnReq.getAttributeConsumingServiceIndex();
+		int attributeIdx = 0;
+	
+		if(aIdx != null) {
+			attributeIdx = aIdx.intValue();
+		}
+		
+		if (spSSODescriptor.getAttributeConsumingServices() != null  && 
+				spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+			attributeConsumer  = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+		} 
+		
+		String useMandate = httpReq.getParameter(MOAIDAuthConstants.PARAM_USEMANDATE);
+		if(useMandate != null) {
+			if(useMandate.equals("true") && attributeConsumer != null) {
+				if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) {
+					MandateAttributesNotHandleAbleException e = new MandateAttributesNotHandleAbleException();	
+					throw new AuthnRequestValidatorException(e.getErrorId(), e.getParams(), e.getMessage(), pendingReq, e);
+				}
+			}
+		}
+		
+		
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
index 5ccacf350..a0bf1e86c 100644
--- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
+++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
@@ -46,6 +46,9 @@
 		</property>
  	</bean>
  
+ 	<bean id="MOAAuthnRequestValidator"
+ 			class="at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator" />
+ 
 	<bean id="MOAID_AuthenticationManager" 
 				class="at.gv.egovernment.moa.id.moduls.AuthenticationManager"/>
 
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml
new file mode 100644
index 000000000..c340f90c9
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>MOA.id.server.modules</groupId>
+    <artifactId>moa-id-modules</artifactId>
+    <version>${moa-id-version}</version>
+  </parent>
+  <artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+  <name>moa-id-module-AT_eIDAS_connector</name>
+  <url>http://maven.apache.org</url>
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <repositoryPath>${basedir}/../../../../repository</repositoryPath>
+  </properties>
+  
+  <profiles>
+        <profile>
+            <id>default</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <repositories>
+                <repository>
+                    <id>local</id>
+                    <name>local</name>
+                    <url>file:${basedir}/../../../../repository</url>
+                </repository>
+                <repository>
+                    <id>egiz-commons</id>
+                    <url>https://demo.egiz.gv.at/int-repo/</url>
+                    <releases>
+                        <enabled>true</enabled>
+                    </releases>
+                </repository>
+            </repositories>
+        </profile>
+    </profiles>
+  
+  <dependencies>
+  	<dependency>
+  		<groupId>MOA.id.server</groupId>
+  		<artifactId>moa-id-lib</artifactId>
+  	</dependency>
+  
+  
+  	<dependency>
+		<groupId>org.springframework</groupId>
+		<artifactId>spring-test</artifactId>
+		<scope>test</scope>
+	</dependency>  
+    <dependency>
+     	<groupId>junit</groupId>
+      	<artifactId>junit</artifactId>
+      	<scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
new file mode 100644
index 000000000..e8694383f
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.impl.data.Trible;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthConstants {
+
+	public static final String MODULE_NAME_FOR_LOGGING = "eIDAS central authentication";
+	
+	public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; 
+	
+	public static final String HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION = "useeIDAS";
+	
+	public static final String ENDPOINT_POST = "/sp/eidas/post";
+	public static final String ENDPOINT_REDIRECT = "/sp/eidas/redirect";
+	public static final String ENDPOINT_METADATA = "/sp/eidas/metadata";
+
+	public static final String CONFIG_PROPS_PREFIX = "modules.eidascentralauth.";	
+	public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";
+	public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";
+	public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password";
+	public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.alias";
+	public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.password";
+	public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias";
+	public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
+	public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";	
+	public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additinal.attributes";	
+	public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId";
+	public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl";
+	public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID";	
+	
+	
+	public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_QAA_HIGH;	
+	public static final List<Trible<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES = 
+			Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+				private static final long serialVersionUID = 1L;
+				{	
+					//add PVP Version attribute
+					add(Trible.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME, true));
+					
+					//request entity information
+					add(Trible.newInstance(PVPConstants.GIVEN_NAME_NAME, PVPConstants.GIVEN_NAME_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.PRINCIPAL_NAME_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PVPConstants.BIRTHDATE_NAME, PVPConstants.BIRTHDATE_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PVPConstants.BPK_NAME, PVPConstants.BPK_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, true));
+					add(Trible.newInstance(PVPConstants.EID_ISSUING_NATION_NAME, PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME, true));
+				}
+			});
+	
+	public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = 
+			Collections.unmodifiableList(new ArrayList<String>() {
+				private static final long serialVersionUID = 1L;
+				{	
+					for (Trible<String, String, Boolean> el : DEFAULT_REQUIRED_PVP_ATTRIBUTES) 
+						add(el.getFirst());
+				}
+			});
+}
+
+
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
new file mode 100644
index 000000000..f1bec9dac
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth;
+
+import java.io.Serializable;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthModuleImpl implements AuthModule {
+
+	@Autowired(required=true) private AuthenticationManager authManager;
+	
+	@PostConstruct
+	protected void initalCentralEidasAuthentication() {
+		//parameter to whiteList
+		authManager.addParameterNameToWhiteList(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION);
+		
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority()
+	 */
+	@Override
+	public int getPriority() {
+		// TODO Auto-generated method stub
+		return 0;
+	} 
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
+	 */
+	@Override
+	public String selectProcess(ExecutionContext context) {
+		Serializable paramObj = context.get(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION);
+		if (paramObj instanceof String) {
+			String param = (String)paramObj;
+			if (StringUtils.isNotEmpty(param) && Boolean.parseBoolean(param)) {
+				Logger.debug("Centrial eIDAS authentication process selected ");
+				return "centrialEidasAuthentication";
+				
+			} else
+				Logger.trace(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION 
+						+ " is empty or has value: " + Boolean.parseBoolean(param));
+		
+		} else
+			Logger.info("Find suspect http param '" + EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION 
+					+ "' of type: " + paramObj.getClass().getName());
+		return null;		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+	 */
+	@Override
+	public String[] getProcessDefinitions() {
+		return new String[] { "classpath:eIDAS_central_node_auth.process.xml" };
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java
new file mode 100644
index 000000000..beaaee619
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthSpringResourceProvider implements SpringResourceProvider {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+	 */
+	@Override
+	public Resource[] getResourcesToLoad() {
+		ClassPathResource federationAuthConfig = new ClassPathResource("/moaid_eIDAS_central_node_auth.beans.xml", EidasCentralAuthSpringResourceProvider.class);					
+		
+		return new Resource[] {federationAuthConfig};
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+	 */
+	@Override
+	public String[] getPackagesToScan() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+	 */
+	@Override
+	public String getName() {
+		return "MOA-ID Auth-module 'central eIDAS Authentication'";
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
new file mode 100644
index 000000000..aad1244f1
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
@@ -0,0 +1,355 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.xml.security.credential.Credential;
+
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.data.Trible;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataBuilderConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthMetadataConfiguration implements IPVPMetadataBuilderConfiguration {
+
+	private Collection<RequestedAttribute> additionalAttributes = null;
+	
+	
+	private String authURL;
+	private EidasCentralAuthCredentialProvider credentialProvider;
+	private IPVP2BasicConfiguration pvpConfiguration;
+	
+	public EidasCentralAuthMetadataConfiguration(String authURL, 
+			EidasCentralAuthCredentialProvider credentialProvider,
+			IPVP2BasicConfiguration pvpConfiguration) {
+		this.authURL = authURL;
+		this.credentialProvider = credentialProvider;
+		this.pvpConfiguration = pvpConfiguration;
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil()
+	 */
+	@Override
+	public int getMetadataValidUntil() {
+		return EidasCentralAuthConstants.METADATA_VALIDUNTIL_IN_HOURS;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement()
+	 */
+	@Override
+	public boolean buildEntitiesDescriptorAsRootElement() {
+		return false;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor()
+	 */
+	@Override
+	public boolean buildIDPSSODescriptor() {
+		return false;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor()
+	 */
+	@Override
+	public boolean buildSPSSODescriptor() {
+		return true;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix()
+	 */
+	@Override
+	public String getEntityID() {
+		return authURL + EidasCentralAuthConstants.ENDPOINT_METADATA;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName()
+	 */
+	@Override
+	public String getEntityFriendlyName() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation()
+	 */
+	@Override
+	public List<ContactPerson> getContactPersonInformation() {
+		try {
+			return pvpConfiguration.getIDPContacts();
+			
+		} catch (EAAFException e) {
+			Logger.warn("Can not load Metadata entry: Contect Person", e);
+			return null;
+			
+		}
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation()
+	 */
+	@Override
+	public Organization getOrgansiationInformation() {
+		try {
+			return pvpConfiguration.getIDPOrganisation();
+			
+		} catch (EAAFException e) {
+			Logger.warn("Can not load Metadata entry: Organisation", e);
+			return null;
+			
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials()
+	 */
+	@Override
+	public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException {
+		return credentialProvider.getIDPMetaDataSigningCredential();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials()
+	 */
+	@Override
+	public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException {
+		return credentialProvider.getIDPAssertionSigningCredential();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials()
+	 */
+	@Override
+	public Credential getEncryptionCredentials() throws CredentialsNotAvailableException {
+		return credentialProvider.getIDPAssertionEncryptionCredential();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL()
+	 */
+	@Override
+	public String getIDPWebSSOPostBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL()
+	 */
+	@Override
+	public String getIDPWebSSORedirectBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL()
+	 */
+	@Override
+	public String getIDPSLOPostBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL()
+	 */
+	@Override
+	public String getIDPSLORedirectBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL()
+	 */
+	@Override
+	public String getSPAssertionConsumerServicePostBindingURL() {
+		return authURL + EidasCentralAuthConstants.ENDPOINT_POST;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL()
+	 */
+	@Override
+	public String getSPAssertionConsumerServiceRedirectBindingURL() {
+		return authURL + EidasCentralAuthConstants.ENDPOINT_REDIRECT;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL()
+	 */
+	@Override
+	public String getSPSLOPostBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL()
+	 */
+	@Override
+	public String getSPSLORedirectBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL()
+	 */
+	@Override
+	public String getSPSLOSOAPBindingURL() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes()
+	 */
+	@Override
+	public List<Attribute> getIDPPossibleAttributes() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes()
+	 */
+	@Override
+	public List<String> getIDPPossibleNameITTypes() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes()
+	 */
+	@Override
+	public Collection<RequestedAttribute> getSPRequiredAttributes() {		
+		Map<String, RequestedAttribute> requestedAttributes = new HashMap<String, RequestedAttribute>();
+		for (Trible<String, String, Boolean> el : EidasCentralAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES)
+			requestedAttributes.put(el.getFirst(), PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));
+		
+		if (additionalAttributes != null) {
+			Logger.trace("Add additional PVP attributes into metadata ... ");
+			for (RequestedAttribute el : additionalAttributes) {
+				if (requestedAttributes.containsKey(el.getName()))
+					Logger.debug("Attribute " + el.getName() + " is already added by default configuration. Overwrite it by user configuration");
+
+				requestedAttributes.put(el.getName(), el);					
+				
+			}			
+		}
+		
+		return requestedAttributes.values();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes()
+	 */
+	@Override
+	public List<String> getSPAllowedNameITTypes() {
+		return Arrays.asList(NameIDType.PERSISTENT);
+		
+	}
+
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+	 */
+	@Override
+	public String getSPNameForLogging() {
+		return EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING;
+	}
+
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned()
+	 */
+	@Override
+	public boolean wantAssertionSigned() {
+		return false;
+	}
+
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned()
+	 */
+	@Override
+	public boolean wantAuthnRequestSigned() {
+		return true;
+	}
+
+	/**
+	 * Add additonal PVP attributes that are required by this deployment
+	 * 
+	 * @param additionalAttr List of PVP attribute name and isRequired flag 
+	 */
+	public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) {
+		if (additionalAttr != null) {
+			additionalAttributes = new ArrayList<RequestedAttribute>();
+			for (Pair<String, Boolean> el : additionalAttr) {
+				Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst());
+				if (attributBuilder != null) {
+					additionalAttributes.add(
+							PVPAttributeBuilder.buildReqAttribute(
+									attributBuilder.getName(), 
+									attributBuilder.getFriendlyName(), 
+									el.getSecond()));
+										
+				} else
+					Logger.info("NO PVP attribute with name: " + el.getFirst());
+				
+			}			
+		}		
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
new file mode 100644
index 000000000..ebbe08588
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
@@ -0,0 +1,262 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config;
+
+import java.util.List;
+
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.security.credential.Credential;
+import org.w3c.dom.Element;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation {
+
+	private boolean isPassive;
+	private String SPEntityID;
+	private String QAA_Level;
+	private EntityDescriptor idpEntity;
+	private Credential signCred;
+	private String scopeRequesterId;
+	private String providerName;
+	private List<EAAFRequestedAttribute> requestedAttributes;
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest()
+	 */
+	@Override
+	public Boolean isPassivRequest() {
+		return this.isPassive;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId()
+	 */
+	@Override
+	public Integer getAssertionConsumerServiceId() {
+		return 0;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID()
+	 */
+	@Override
+	public String getSPEntityID() {
+		return this.SPEntityID;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+	 */
+	@Override
+	public String getNameIDPolicyFormat() {
+		return NameID.PERSISTENT;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+	 */
+	@Override
+	public boolean getNameIDPolicyAllowCreation() {
+		return true;
+	}
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef()
+	 */
+	@Override
+	public String getAuthnContextClassRef() {
+		return this.QAA_Level;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison()
+	 */
+	@Override
+	public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() {
+		return AuthnContextComparisonTypeEnumeration.MINIMUM;
+	}
+
+	/**
+	 * @param isPassive the isPassive to set
+	 */
+	public void setPassive(boolean isPassive) {
+		this.isPassive = isPassive;
+	}
+
+	/**
+	 * @param sPEntityID the sPEntityID to set
+	 */
+	public void setSPEntityID(String sPEntityID) {
+		SPEntityID = sPEntityID;
+	}
+
+	/**
+	 * @param qAA_Level the qAA_Level to set
+	 */
+	public void setQAA_Level(String qAA_Level) {
+		QAA_Level = qAA_Level;
+	}
+
+	/**
+	 * @param idpEntity the idpEntity to set
+	 */
+	public void setIdpEntity(EntityDescriptor idpEntity) {
+		this.idpEntity = idpEntity;
+	}
+
+	/**
+	 * @param signCred the signCred to set
+	 */
+	public void setSignCred(Credential signCred) {
+		this.signCred = signCred;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
+	 */
+	@Override
+	public Credential getAuthnRequestSigningCredential() {
+		return this.signCred;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor()
+	 */
+	@Override
+	public EntityDescriptor getIDPEntityDescriptor() {
+		return this.idpEntity;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID()
+	 */
+	@Override
+	public String getSubjectNameID() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging()
+	 */
+	@Override
+	public String getSPNameForLogging() {
+		return EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat()
+	 */
+	@Override
+	public String getSubjectNameIDFormat() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+	 */
+	@Override
+	public String getRequestID() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+	 */
+	@Override
+	public String getSubjectNameIDQualifier() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode()
+	 */
+	@Override
+	public String getSubjectConformationMethode() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate()
+	 */
+	@Override
+	public Element getSubjectConformationDate() {
+		return null;
+	}
+
+	@Override
+	public List<EAAFRequestedAttribute> getRequestedAttributes() {
+		return this.requestedAttributes;
+		
+	}
+
+	@Override
+	public String getProviderName() {
+		return this.providerName;
+	}
+
+	@Override
+	public String getScopeRequesterId() {
+		return this.scopeRequesterId;
+	}
+
+	/**
+	 * Set the entityId of the SP that requests the proxy for eIDAS authentication
+	 * 
+	 * @param scopeRequesterId
+	 */
+	public void setScopeRequesterId(String scopeRequesterId) {
+		this.scopeRequesterId = scopeRequesterId;
+	}
+
+	/**
+	 * Set a friendlyName for the SP that requests the proxy for eIDAS authentication
+	 * 
+	 * @param providerName
+	 */
+	public void setProviderName(String providerName) {
+		this.providerName = providerName;
+	}
+
+	/**
+	 * Set a Set of PVP attributes that a requested by using requested attributes
+	 * 
+	 * @param requestedAttributes
+	 */
+	public void setRequestedAttributes(List<EAAFRequestedAttribute> requestedAttributes) {
+		this.requestedAttributes = requestedAttributes;
+	}
+	
+	
+
+	
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
new file mode 100644
index 000000000..4898c8f1e
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import com.google.common.net.MediaType;
+
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
+import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPMetadataBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthMetadataConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class EidasCentralAuthMetadataController extends AbstractController {
+	
+	@Autowired PVPMetadataBuilder metadatabuilder;
+	@Autowired AuthConfiguration authConfig;
+	@Autowired EidasCentralAuthCredentialProvider credentialProvider; 
+	@Autowired IPVP2BasicConfiguration pvpConfiguration;
+	
+	public EidasCentralAuthMetadataController() {
+		super();
+		Logger.debug("Registering servlet " + getClass().getName() 
+				+ " with mappings '" + EidasCentralAuthConstants.ENDPOINT_METADATA 
+				+ "'.");
+		
+	}
+	
+	@RequestMapping(value = EidasCentralAuthConstants.ENDPOINT_METADATA, 
+					method = {RequestMethod.GET})
+	public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+		//check PublicURL prefix
+		try {
+			String authURL = HTTPUtils.extractAuthURLFromRequest(req);		
+			if (!authConfig.getPublicURLPrefix().contains(authURL)) {		
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL");
+				return;
+				
+			} else {
+				//initialize metadata builder configuration
+				EidasCentralAuthMetadataConfiguration metadataConfig = 
+						new EidasCentralAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration);
+				metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes());
+				
+				
+				//build metadata
+				String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
+				
+				//write response
+				byte[] content = xmlMetadata.getBytes("UTF-8");
+				resp.setStatus(HttpServletResponse.SC_OK);
+				resp.setContentLength(content.length);
+				resp.setContentType(MediaType.XML_UTF_8.toString());
+				resp.getOutputStream().write(content);
+
+			}
+			
+		} catch (Exception e) {
+			Logger.warn("Build federated-authentication PVP metadata FAILED.", e);
+			handleErrorNoRedirect(e, req, resp, false);
+			
+		}
+		
+	}
+
+	private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() {
+		Map<String, String> addReqAttributes = authConfig.getBasicMOAIDConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST);
+		if (addReqAttributes != null) {
+			List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>();
+			for (String el : addReqAttributes.values()) {
+				if (MiscUtil.isNotEmpty(el)) {
+					Logger.trace("Parse additional attr. definition: " + el);
+					List<String> attr = KeyValueUtils.getListOfCSVValues(el.trim());
+					if (attr.size() == 2) {						
+						result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1))));
+						
+					} else
+						Logger.info("IGNORE additional attr. definition: " + el
+								+ " Reason: Format not valid");
+				}				
+			}
+			
+			return result;
+		}
+				
+		return null;
+	}
+		
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
new file mode 100644
index 000000000..1486ef841
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.text.StringEscapeUtils;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class EidasCentralAuthSignalController extends AbstractProcessEngineSignalController {
+
+	public EidasCentralAuthSignalController() {
+		super();
+		Logger.debug("Registering servlet " + getClass().getName() 
+				+ " with mappings '" + EidasCentralAuthConstants.ENDPOINT_POST 
+				+ "' and '" + EidasCentralAuthConstants.ENDPOINT_REDIRECT + "'.");
+		
+	}
+	
+	@RequestMapping(value = {	EidasCentralAuthConstants.ENDPOINT_POST, 
+								EidasCentralAuthConstants.ENDPOINT_REDIRECT
+							}, 
+					method = {RequestMethod.POST, RequestMethod.GET})
+	public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+		signalProcessManagement(req, resp);
+		
+	}
+	
+	public String getPendingRequestId(HttpServletRequest request) {
+		return StringEscapeUtils.escapeHtml4(request.getParameter("RelayState"));
+		
+	}
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
new file mode 100644
index 000000000..7fb6fb4f8
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
@@ -0,0 +1,164 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthRequestBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("CreateEidasCentrialAuthnRequestTask")
+public class CreateAuthnRequestTask extends AbstractAuthServletTask {
+ 
+	@Autowired PVPAuthnRequestBuilder authnReqBuilder;
+	@Autowired EidasCentralAuthCredentialProvider credential;
+	@Autowired EidasCentralAuthMetadataProvider metadataService;
+	
+	//@Autowired(required=true) ILoALevelMapper loaMapper;	
+	//@Autowired(required=true) MOAMetadataProvider metadataProvider;
+	 
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		try{
+			//check if eIDAS authentication is enabled for this SP
+			if (!Boolean.parseBoolean(pendingReq.getServiceProviderConfiguration().getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_STORK_ENABLED, String.valueOf(false)))) {
+				Logger.info("eIDAS authentication is NOT enabled for OA: " + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+				throw new MOAIDException("eIDAS authentication is NOT enabled for OA: " + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(), null);
+				
+			}
+						
+			// get entityID for central ms-specific eIDAS node 
+			String msNodeEntityID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
+					
+			if (MiscUtil.isEmpty(msNodeEntityID)) {
+				Logger.info("eIDAS authentication not possible -> NO EntityID for central eIDAS node FOUND!");
+				throw new MOAIDException("NO EntityID for central eIDAS node FOUND", null);
+				
+			}
+						
+			//load metadata with metadataURL, as backup
+			String metadataURL = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_METADATAURL);
+			if (MiscUtil.isNotEmpty(metadataURL)) {
+				Logger.warn("Use not recommended metadata-provider initialization!"
+						+ " SAML2 'Well-Known-Location' is the preferred methode.");
+				Logger.info("Initialize 'ms-specific eIDAS node' metadata-provider with URL:" + metadataURL);				
+				metadataService.addMetadataWithMetadataURL(metadataURL);
+				
+			}
+			
+			//load IDP SAML2 entitydescriptor
+			EntityDescriptor entityDesc = metadataService.getEntityDescriptor(msNodeEntityID);											
+			if (entityDesc == null) {
+				Logger.error("Requested 'ms-specific eIDAS node' " + entityDesc 
+						+ " has no valid metadata or metadata is not found");
+				throw new MOAIDException("Requested 'ms-specific eIDAS node' " + entityDesc 
+						+ " has no valid metadata or metadata is not found", null);
+				
+			}
+			
+			//setup AuthnRequestBuilder configuration
+			EidasCentralAuthRequestBuilderConfiguration authnReqConfig = new EidasCentralAuthRequestBuilderConfiguration();
+			authnReqConfig.setIdpEntity(entityDesc);
+			authnReqConfig.setPassive(false);
+			authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
+			authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_METADATA);			
+			authnReqConfig.setQAA_Level(
+					pendingReq.getServiceProviderConfiguration().getConfigurationValue(
+							MOAIDConfigurationConstants.SERVICE_AUTH_STORK_MINQAALEVEL, 
+							EidasCentralAuthConstants.CONFIG_DEFAULT_LOA_EIDAS_LEVEL));
+
+			authnReqConfig.setScopeRequesterId(pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+			authnReqConfig.setProviderName(pendingReq.getServiceProviderConfiguration().getFriendlyName());
+			authnReqConfig.setRequestedAttributes(buildRequestedAttributes());
+			
+			//build and transmit AuthnRequest
+			authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
+
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+						
+		} catch (MetadataProviderException e) {
+			throw new TaskExecutionException(pendingReq, "Build PVP2.1 AuthnRequest to connect 'ms-specific eIDAS node' FAILED.", e);
+
+		} catch (MessageEncodingException | NoSuchAlgorithmException  | SecurityException e) {
+			Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}
+	}
+
+	private List<EAAFRequestedAttribute> buildRequestedAttributes() {
+		List<EAAFRequestedAttribute> attributs = new ArrayList<EAAFRequestedAttribute>();
+		
+		//build EID sector for identification attribute
+		Attribute attr = PVPAttributeBuilder.buildEmptyAttribute(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME);
+		EAAFRequestedAttribute reqAttr = SAML2Utils.generateReqAuthnAttributeSimple(
+				attr , 
+				true, 
+				pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());	
+		attributs.add(reqAttr );		
+		
+		return attributs;
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
new file mode 100644
index 000000000..f9686029f
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
@@ -0,0 +1,272 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks;
+
+import java.io.IOException;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ReceiveFederatedAuthnResponseTask")
+public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
+
+	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
+	@Autowired private EidasCentralAuthCredentialProvider credentialProvider; 
+	@Autowired(required=true) EidasCentralAuthMetadataProvider metadataProvider;
+	
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {		
+		InboundMessage msg = null;
+		
+		try {
+			
+			IDecoder decoder = null; 
+			EAAFURICompare comperator = null;
+			//select Response Binding
+			if (request.getMethod().equalsIgnoreCase("POST")) {
+				decoder = new PostBinding();
+				comperator = new EAAFURICompare(pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_POST);
+				Logger.trace("Receive PVP Response from 'ms-specific eIDAS node', by using POST-Binding.");
+				
+			}  else if (request.getMethod().equalsIgnoreCase("GET")) {
+				decoder = new RedirectBinding();
+				comperator = new EAAFURICompare(pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_REDIRECT);
+				Logger.trace("Receive PVP Response from 'ms-specific eIDAS node', by using Redirect-Binding.");
+				
+			} else {
+				Logger.warn("Receive PVP Response, but Binding (" 
+						+ request.getMethod() + ") is not supported.");
+				throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
+				
+			}
+			
+			//decode PVP response object
+			msg = (InboundMessage) decoder.decode(
+					request, response, metadataProvider, true,
+					comperator);
+			 
+			if (MiscUtil.isEmpty(msg.getEntityID())) {
+				throw new InvalidProtocolRequestException("sp.pvp2.04", 
+						new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING},
+						"NO configuration for SP entityID: " + msg.getEntityID());
+				
+			}
+
+			//validate response signature
+			if(!msg.isVerified()) {
+				samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+				msg.setVerified(true);
+								
+			}
+			
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE);
+			
+			//validate assertion
+			PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg);
+			
+			//validate entityId of response
+			String msNodeEntityID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
+			String respEntityId = msg.getEntityID();
+			if (!msNodeEntityID.equals(respEntityId)) {
+				Logger.warn("Response Issuer is not a 'ms-specific eIDAS node'. Stopping eIDAS authentication ...");
+				throw new AuthnResponseValidationException("sp.pvp2.08", 
+						new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING,
+								msg.getEntityID()});
+				
+			}
+									
+			//initialize Attribute extractor
+			AssertionAttributeExtractor extractor = 
+					new AssertionAttributeExtractor((Response) processedMsg.getResponse());
+															
+			getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class));	
+							
+			//store pending-request
+			requestStoreage.storePendingRequest(pendingReq);
+			
+			//write log entries
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);				
+			Logger.info("Receive a valid assertion from IDP " + msg.getEntityID()); 
+											
+		} catch (MessageDecodingException | SecurityException e) {
+			String samlRequest = request.getParameter("SAMLRequest");			
+			Logger.warn("Receive INVALID PVP Response from 'ms-specific eIDAS node': " + samlRequest, e);
+			throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP", e);
+
+		} catch (IOException | MarshallingException | TransformerException e) {
+			Logger.warn("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
+			throw new TaskExecutionException(pendingReq, "Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
+			
+		} catch (CredentialsNotAvailableException e) {
+			Logger.error("PVP response decrytion FAILED. No credential found.", e);
+			throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.", e);
+
+		} catch (AssertionValidationExeption | AuthnResponseValidationException e) {
+			Logger.info("PVP response validation FAILED. Msg:" + e.getMessage());			
+			throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+									
+		} catch (Exception e) {
+			Logger.warn("PVP response validation FAILED. Msg:" + e.getMessage(), e);			
+			throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+			
+		}
+
+	}
+	
+	private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig) throws BuildException, ConfigurationException{		
+		try {																		
+			//check if all attributes are include
+			if (!extractor.containsAllRequiredAttributes() 
+					&& !extractor.containsAllRequiredAttributes(EidasCentralAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES)) {
+				Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
+				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
+				
+			}
+			
+			//copy attributes into MOASession
+			Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+			for (String el : includedAttrNames) {
+				String value = extractor.getSingleAttributeValue(el);				 				
+				pendingReq.setGenericDataToSession(el, value);				
+				Logger.debug("Add PVP-attribute " + el + " into MOASession");
+				
+			}
+												
+		} catch (AssertionValidationExeption e) {
+			throw new BuildException("builder.06", null, e);
+			
+		} catch (EAAFStorageException e) {
+			throw new BuildException("builder.06", null, e);
+			
+		}
+	}
+	
+	/**
+	 * @param executionContext
+	 * @param idpConfig
+	 * @param message 
+	 * @param objects 
+	 * @throws TaskExecutionException 
+	 * @throws Throwable 
+	 */
+	private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, Throwable e) throws TaskExecutionException {
+
+		if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
+			Logger.info("Switch to local authentication on this IDP ... ");
+		
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
+		
+			executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+			
+		} else {
+			throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+			
+		}
+		
+	}
+	
+	/**
+	 * PreProcess AuthResponse and Assertion 
+	 * @param msg
+	 * @throws TransformerException 
+	 * @throws MarshallingException 
+	 * @throws IOException 
+	 * @throws CredentialsNotAvailableException 
+	 * @throws AssertionValidationExeption 
+	 * @throws AuthnResponseValidationException 
+	 */
+	private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
+		Logger.debug("Start PVP21 assertion processing... ");
+		Response samlResp = (Response) msg.getResponse();
+
+		// check SAML2 response status-code
+		if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {				
+			//validate PVP 2.1 assertion
+			samlVerificationEngine.validateAssertion(samlResp, true, 
+					credentialProvider.getIDPAssertionEncryptionCredential(),
+					pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_METADATA,
+					EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING);
+
+			msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+			return msg;
+				
+		} else {
+			Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() 
+				+ " from 'ms-specific eIDAS node'.");
+			throw new AuthnResponseValidationException("sp.pvp2.05", 
+					new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
+					
+		}
+								
+	}	
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java
new file mode 100644
index 000000000..f2f8530f6
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("EidasCentralAuthCredentialProvider")
+public class EidasCentralAuthCredentialProvider extends AbstractCredentialProvider {
+
+	@Autowired AuthConfiguration authConfig;
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath()
+	 */
+	@Override
+	public String getKeyStoreFilePath() throws ConfigurationException {
+		return FileUtils.makeAbsoluteURL(
+					authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_KEYSTORE), 
+					authConfig.getRootConfigFileDir());
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword()
+	 */
+	@Override
+	public String getKeyStorePassword() {
+		return authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim();
+
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias()
+	 */
+	@Override
+	public String getMetadataKeyAlias() {
+		return authConfig.getBasicConfiguration(
+				EidasCentralAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword()
+	 */
+	@Override
+	public String getMetadataKeyPassword() {
+		return authConfig.getBasicConfiguration(
+				EidasCentralAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias()
+	 */
+	@Override
+	public String getSignatureKeyAlias() {
+		return authConfig.getBasicConfiguration(
+				EidasCentralAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword()
+	 */
+	@Override
+	public String getSignatureKeyPassword() {
+		return authConfig.getBasicConfiguration(
+				EidasCentralAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias()
+	 */
+	@Override
+	public String getEncryptionKeyAlias() {
+		return authConfig.getBasicConfiguration(
+				EidasCentralAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword()
+	 */
+	@Override
+	public String getEncryptionKeyPassword() {
+		return authConfig.getBasicConfiguration(
+				EidasCentralAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim();
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName()
+	 */
+	@Override
+	public String getFriendlyName() {
+		return "eIDAS centrial authentication";
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
new file mode 100644
index 000000000..5cee90658
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
@@ -0,0 +1,345 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils;
+
+import java.net.MalformedURLException;
+import java.util.List;
+import java.util.Timer;
+
+import javax.xml.namespace.QName;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.eaaf.core.api.IDestroyableObject;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+
+@Service("EidasCentralAuthMetadataProvider")
+public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider
+	implements IDestroyableObject {
+	@Autowired(required=true) AuthConfiguration moaAuthConfig;
+		
+	private ChainingMetadataProvider metadataProvider = new ChainingMetadataProvider();
+	private Timer timer = null;
+	
+
+	public EidasCentralAuthMetadataProvider() {		
+		metadataProvider.setRequireValidMetadata(true);
+		
+	}
+
+	public void addMetadataWithMetadataURL(String metadataURL) throws MetadataProviderException {
+		internalInitialize(metadataURL);
+					
+	}
+	
+	public void destroy() {
+		fullyDestroy();
+		
+	}
+	
+	
+		
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#requireValidMetadata()
+	 */
+	@Override
+	public boolean requireValidMetadata() {
+			return metadataProvider.requireValidMetadata();
+			
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setRequireValidMetadata(boolean)
+	 */
+	@Override
+	public void setRequireValidMetadata(boolean requireValidMetadata) {	
+			metadataProvider.setRequireValidMetadata(requireValidMetadata);
+					
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadataFilter()
+	 */
+	@Override
+	public MetadataFilter getMetadataFilter() {	
+			return metadataProvider.getMetadataFilter();
+			
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setMetadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter)
+	 */
+	@Override
+	public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
+		Logger.fatal("Set Metadata Filter is not implemented her!");
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadata()
+	 */
+	@Override
+	public XMLObject getMetadata() throws MetadataProviderException {		
+		return metadataProvider.getMetadata();
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntitiesDescriptor(java.lang.String)
+	 */
+	@Override
+	public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
+		return metadataProvider.getEntitiesDescriptor(name);
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntityDescriptor(java.lang.String)
+	 */
+	@Override
+	public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
+		try {
+			//search if metadata is already loaded
+			EntityDescriptor entityDesc =  metadataProvider.getEntityDescriptor(entityID);
+			
+			if (entityDesc != null)
+				return entityDesc;
+			else
+				Logger.info("No ms-specific eIDAS node: " + entityID + " Starting refresh process ...");
+						
+		} catch (MetadataProviderException e) {
+			Logger.info("Access ms-specific eIDAS node: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+			
+		}
+
+		//(re)initialize ms-specific eIDAS node
+		internalInitialize(entityID);
+				
+		//search again after reload (re)initialization
+		try {
+			EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID);
+			if (entityDesc == null) {
+				Logger.error("MS-specific eIDAS node Client ERROR: No EntityID with "+ entityID);
+				throw new MetadataProviderException("No EntityID with "+ entityID);
+			}
+			
+			return entityDesc;
+			
+		} catch (MetadataProviderException e) {
+			Logger.error("MS-specific eIDAS node Client ERROR: Metadata extraction FAILED.", e);
+			throw new MetadataProviderException("Metadata extraction FAILED", e);
+			
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName)
+	 */
+	@Override
+	public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
+		try {
+			//search if metadata is already loaded
+			List<RoleDescriptor> role = metadataProvider.getRole(entityID, roleName);
+			
+			if (role != null)
+				return role;
+			else
+				Logger.info("No ms-specific eIDAS node: " + entityID + " Starting refresh process ...");
+						
+		} catch (MetadataProviderException e) {
+			Logger.info("Access ms-specific eIDAS node: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+			
+		}
+
+		//(re)initialize ms-specific eIDAS node
+		internalInitialize(entityID);
+		
+		//search again after reload (re)initialization
+		return metadataProvider.getRole(entityID, roleName);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName, java.lang.String)
+	 */
+	@Override
+	public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
+			throws MetadataProviderException {		
+		try {
+			//search if metadata is already loaded
+			RoleDescriptor role = metadataProvider.getRole(entityID, roleName, supportedProtocol);
+			
+			if (role != null)
+				return role;
+			else
+				Logger.info("No ms-specific eIDAS node: " + entityID + " Starting refresh process ...");
+						
+		} catch (MetadataProviderException e) {
+			Logger.info("Access ms-specific eIDAS node: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+			
+		}
+
+		//(re)initialize ms-specific eIDAS node
+		internalInitialize(entityID);
+		
+		//search again after reload (re)initialization
+		return metadataProvider.getRole(entityID, roleName, supportedProtocol);
+	}
+	
+	private synchronized void internalInitialize(String metdataURL) throws MetadataProviderException {
+		
+		//check if metadata with EntityID already exists in chaining metadata provider
+		boolean addNewMetadata = true;
+		try {
+			addNewMetadata = (metadataProvider.getEntityDescriptor(metdataURL) == null);
+						
+		} catch (MetadataProviderException e) {}
+
+		//switch between metadata refresh and add new metadata		
+		if (addNewMetadata) {
+			//Metadata provider seems not loaded --> Add new metadata provider
+			Logger.info("Initialize PVP MetadataProvider:" + metdataURL + " to connect ms-specific eIDAS node");
+		
+			String trustProfileID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_TRUSTPROFILEID);
+			if (MiscUtil.isEmpty(trustProfileID)) {
+				Logger.error("Create ms-specific eIDAS node Client FAILED: No trustProfileID to verify PVP metadata." );
+				throw new MetadataProviderException("No trustProfileID to verify PVP metadata.");
+			}
+		
+			//initialize Timer if it is null
+			if (timer == null)
+				timer = new Timer(true);
+				
+			//create metadata validation filter chain
+			MetadataFilterChain filter = new MetadataFilterChain();
+			filter.addFilter(new SchemaValidationFilter(true));
+			filter.addFilter(new MOASPMetadataSignatureFilter(trustProfileID));
+		
+			MetadataProvider idpMetadataProvider = createNewSimpleMetadataProvider(metdataURL, 
+					filter, 
+					EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING,					
+					timer,
+					new BasicParserPool(),
+					createHttpClient(metdataURL));
+			
+			if (idpMetadataProvider == null) {
+				Logger.error("Create ms-specific eIDAS node Client FAILED.");
+				throw new MetadataProviderException("Can not initialize 'ms-specific eIDAS node' metadata provider.");
+			
+			}
+		
+			idpMetadataProvider.setRequireValidMetadata(true);
+			metadataProvider.addMetadataProvider(idpMetadataProvider);	
+			
+		} else {
+			//Metadata provider seems already loaded --> start refresh process
+			List<MetadataProvider> loadedProvider = metadataProvider.getProviders();
+			for (MetadataProvider el : loadedProvider) {
+				if (el instanceof HTTPMetadataProvider) {
+					HTTPMetadataProvider prov = (HTTPMetadataProvider)el;
+					if (prov.getMetadataURI().equals(metdataURL))
+						prov.refresh();
+										
+				} else
+					Logger.warn("'ms-specific eIDAS node' Metadata provider is not of Type 'HTTPMetadataProvider'! Something is suspect!!!!");
+								
+			}			
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy()
+	 */
+	@Override
+	public void fullyDestroy() {
+		Logger.info("Destroy 'ms-specific eIDAS node' PVP metadata pool ... ");
+		
+		if (metadataProvider != null) {
+			metadataProvider.destroy();
+			
+		}
+		
+		if (timer != null)
+			timer.cancel();
+		
+	}
+	
+	private HttpClient createHttpClient(String metadataURL) {					
+		MOAHttpClient httpClient = new MOAHttpClient();		
+		HttpClientParams httpClientParams = new HttpClientParams();
+		httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+		httpClient.setParams(httpClientParams);
+		
+		if (metadataURL.startsWith("https:")) {
+			try {
+				//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
+				MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+						PVPConstants.SSLSOCKETFACTORYNAME, 
+						moaAuthConfig.getTrustedCACertificates(),
+						null,
+						AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
+						moaAuthConfig.isTrustmanagerrevoationchecking(),
+						moaAuthConfig.getRevocationMethodOrder(),
+						moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+								AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
+				
+				httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+			} catch (MOAHttpProtocolSocketFactoryException | MalformedURLException e) {
+				Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
+				
+			}
+		}
+		
+		return httpClient;
+				
+	}
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..5954455a4
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthSpringResourceProvider
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml
new file mode 100644
index 000000000..02bf7bcad
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pd:ProcessDefinition id="centrialEidasAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+
+	<pd:Task id="createEidasAuthnRequest" 	class="CreateEidasCentrialAuthnRequestTask" />
+	<pd:Task id="receiveEidasAuthnResponse"	class="ReceiveEidasCentrialAuthnResponseTask" async="true" />
+	<pd:Task id="finalizeAuthentication" 	class="FinalizeAuthenticationTask" />	
+
+	<pd:StartEvent id="start" />
+			
+	<pd:Transition from="start"						to="createEidasAuthnRequest" />	
+	<pd:Transition from="createEidasAuthnRequest" 	to="receiveEidasAuthnResponse"/>
+	<pd:Transition from="receiveEidasAuthnResponse" to="finalizeAuthentication"/>	
+	<pd:Transition from="finalizeAuthentication"    to="end" />			
+	
+	<pd:EndEvent id="end" />
+
+</pd:ProcessDefinition>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
new file mode 100644
index 000000000..9c6ee3c67
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:aop="http://www.springframework.org/schema/aop"
+	xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+ 
+
+<!-- Federated authentication services -->
+	<bean id="EidasCentralAuthCredentialProvider"
+	      		class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider"/>
+
+	<bean	id="EidasCentralAuthMetadataController"
+				class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller.EidasCentralAuthMetadataController"/>
+				
+	<bean	id="EidasCentralAuthModuleImpl"
+				class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthModuleImpl"/>				
+	
+	<bean	id="EidasCentralAuthSignalController"
+				class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller.EidasCentralAuthSignalController"/>
+	
+	<bean	id="EidasCentralAuthMetadataProvider"
+				class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider" />
+	
+	<bean 	id="pvpAuthnRequestBuilder"
+				class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder" />
+	
+<!-- Federated Authentication Process Tasks -->
+	<bean id="CreateEidasCentrialAuthnRequestTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks.CreateAuthnRequestTask"
+				scope="prototype"/>
+				
+	<bean id="ReceiveEidasCentrialAuthnResponseTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks.ReceiveAuthnResponseTask"
+				scope="prototype"/>
+																								
+</beans>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java
new file mode 100644
index 000000000..db072203d
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java
@@ -0,0 +1,5 @@
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+public @interface eIDASMetadata {
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
index 719629936..6548f9fcf 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
@@ -40,6 +40,7 @@ import org.opensaml.xml.security.credential.Credential;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
 import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
 import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation;
 import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
@@ -302,10 +303,20 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
 	}
 
 	@Override
-	public List<String> getRequestedAttributes() {
+	public List<EAAFRequestedAttribute> getRequestedAttributes() {
 		return null;
 		
 	}
+
+	@Override
+	public String getProviderName() {
+		return null;
+	}
+
+	@Override
+	public String getScopeRequesterId() {
+		return null;
+	}
 	
 		
 }
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
index e9c3115fe..50da5187b 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -30,6 +30,7 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.xml.security.credential.Credential;
 import org.w3c.dom.Element;
 
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
 import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation;
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
 
@@ -210,10 +211,20 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque
 	}
 
 	@Override
-	public List<String> getRequestedAttributes() {
+	public List<EAAFRequestedAttribute> getRequestedAttributes() {
 		return null;
 		
 	}
 
+	@Override
+	public String getProviderName() {
+		return null;
+	}
+
+	@Override
+	public String getScopeRequesterId() {
+		return null;
+	}
+
 	
 }
diff --git a/id/server/modules/pom.xml b/id/server/modules/pom.xml
index a9aed2d24..06c9a341a 100644
--- a/id/server/modules/pom.xml
+++ b/id/server/modules/pom.xml
@@ -36,6 +36,7 @@
 		<module>moa-id-module-bkaMobilaAuthSAML2Test</module>
    		
    		<module>moa-id-module-sl20_authentication</module>
+    <module>moa-id-module-AT_eIDAS_connector</module>
   </modules>
 	
 	<dependencies>
diff --git a/pom.xml b/pom.xml
index 2faf73b09..8d7773b5a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -566,6 +566,12 @@
 				<groupId>MOA.id.server.modules</groupId>
 				<artifactId>moa-id-module-sl20_authentication</artifactId>
 				<version>${moa-id-version}</version>
+			</dependency>
+			
+			<dependency>
+				<groupId>MOA.id.server.modules</groupId>
+				<artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+				<version>${moa-id-version}</version>
 			</dependency>				   			                         
 			   			                         
              <dependency>
-- 
cgit v1.2.3