From c7cd9327bbc4d7e180bab9b6bff2a17028c166dc Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 19 Feb 2019 11:28:24 +0100
Subject: add some more attribute functionality for 'Austrian eID' demo-mode

---
 .../id/auth/builder/AuthenticationDataBuilder.java |  58 +++++++-
 .../gv/egovernment/moa/id/data/IMOAAuthData.java   |  18 ++-
 .../moa/id/data/MOAAuthenticationData.java         |  44 +++++-
 .../attributes/BPKListAttributeBuilder.java        |  14 +-
 .../attributes/EncryptedBPKAttributeBuilder.java   |  31 +++--
 .../MandateNaturalPersonBPKAttributeBuilder.java   | 154 +++++++++++++++------
 ...andateNaturalPersonBPKListAttributeBuilder.java |  83 +++++++++++
 ...ateNaturalPersonEncBPKListAttributeBuilder.java |  62 +++++++++
 ...dateNaturalPersonSourcePinAttributeBuilder.java |   1 +
 ...NaturalPersonSourcePinTypeAttributeBuilder.java |   1 +
 .../at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder |   2 +
 .../auth/data/AuthenticationDataBuilderTest.java   |   5 +-
 .../attributes/OAuth20AttributeBuilder.java        |   4 +
 .../data/SSOTransferAuthenticationData.java        |   8 +-
 .../protocols/saml1/SAML1AuthenticationServer.java |  94 ++++++++++---
 15 files changed, 482 insertions(+), 97 deletions(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKListAttributeBuilder.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonEncBPKListAttributeBuilder.java

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index c58f19333..acf59cebf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -36,6 +36,7 @@ import java.util.Map.Entry;
 
 import javax.annotation.PostConstruct;
 
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.w3c.dom.DOMException;
@@ -81,6 +82,9 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator;
 import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory;
 import at.gv.egovernment.moa.id.data.MISMandate;
 import at.gv.egovernment.moa.id.data.MOAAuthenticationData;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonSourcePinTypeAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.SimpleStringAttributeGenerator;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
@@ -532,7 +536,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
 			}
 
 			//build foreign bPKs
-			generateForeignbPK(authData, oaParam.foreignbPKSectorsRequested()); 
+			generateForeignbPK(oaParam, authData); 
 			
 			
 			if (Boolean.parseBoolean(
@@ -806,9 +810,41 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
         
 	}
 	
-	private void generateForeignbPK(MOAAuthenticationData authData, List<String> foreignSectors) {
+	private void generateForeignbPK(IOAAuthParameters oaParam, MOAAuthenticationData authData) {
+		List<String> foreignSectors = oaParam.foreignbPKSectorsRequested();
+		
 		if (foreignSectors != null && !foreignSectors.isEmpty()) {
-			Logger.debug("Sectors for foreign bPKs are configurated. Starting foreign bPK generation ... ");					
+			Logger.debug("Sectors for foreign bPKs are configurated. Starting foreign bPK generation ... ");
+			
+			
+			String mandatorBaseId = null;
+			String mandatorBaseIdType = null;
+			boolean isMandatorBaseIdAvailable = false;
+			if (authData.isUseMandate()) {
+				try {					
+					Logger.trace("Mandates are used. Extracting mandators sourceID from mandate to calculate foreign encrypted bPKs... ");
+					
+					//TODO: remove this workaround in a further version!!!
+					boolean flagBak = authData.isBaseIDTransferRestrication();
+					authData.setBaseIDTransferRestrication(false);
+					mandatorBaseId = new MandateNaturalPersonSourcePinAttributeBuilder().build(
+							oaParam, authData, new SimpleStringAttributeGenerator());
+					mandatorBaseIdType = new MandateNaturalPersonSourcePinTypeAttributeBuilder().build(
+							oaParam, authData, new SimpleStringAttributeGenerator());
+					authData.setBaseIDTransferRestrication(flagBak);
+					
+					isMandatorBaseIdAvailable = StringUtils.isNotEmpty(mandatorBaseId) && StringUtils.isNotEmpty(mandatorBaseIdType);
+					if (!isMandatorBaseIdAvailable)
+						Logger.debug("Can NOT extract mandators sourceId for natural persons from mandate.");
+										
+				} catch (Exception e) {
+					Logger.debug("Can NOT extract mandators sourceId for natural persons from mandate. Reason: " + e.getMessage());
+					if (Logger.isTraceEnabled())
+						Logger.warn("Detail: ", e);
+				
+				}
+			}
+			
 			for (String foreignSector : foreignSectors) {
 				Logger.trace("Process sector: " + foreignSector + " ... ");
 				if (encKeyMap.containsKey(foreignSector)) {
@@ -838,9 +874,23 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
 									authData.getIdentificationType(), 										
 									sector);								
 							String foreignbPK = BPKBuilder.encryptBPK(bpk.getFirst(), bpk.getSecond(), encKeyMap.get(foreignSector).getPublicKey());																		
-							authData.getEncbPKList().add("(" + foreignSector + "|" +  foreignbPK + ")");
+							
+							authData.getEncbPKList().add(Pair.newInstance(foreignbPK, foreignSector));																					
 							Logger.debug("Foreign bPK for sector: " + foreignSector + " created.");
 							
+							
+							//calculate foreign bPKs for natural-person mandates
+							if (isMandatorBaseIdAvailable) {
+								Pair<String, String> mandatorbpk = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+										mandatorBaseId, 
+										mandatorBaseIdType, 										
+										sector);								
+								String foreignMandatorbPK = BPKBuilder.encryptBPK(mandatorbpk.getFirst(), mandatorbpk.getSecond(), encKeyMap.get(foreignSector).getPublicKey());																		
+								
+								authData.getEncMandateNaturalPersonbPKList().add(Pair.newInstance(foreignMandatorbPK, foreignSector));																					
+								Logger.debug("Foreign mandator bPK for sector: " + foreignSector + " created.");
+								
+							}														
 						}
 														
 					} catch (Exception e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IMOAAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IMOAAuthData.java
index 415f4db18..af4cf6fa7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IMOAAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IMOAAuthData.java
@@ -5,6 +5,7 @@ import java.util.List;
 import org.w3c.dom.Element;
 
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
 
 public interface IMOAAuthData extends IAuthData{
@@ -17,7 +18,22 @@ public interface IMOAAuthData extends IAuthData{
 	  */
 	 String getQAALevel();
 	 
-	 List<String> getEncbPKList();	 	 
+	 /**
+	  * Get a List of Pair<Encrytped bPK, bPKTarget>, where the bPKTarget is formated according
+	  * to Section 3.2.7 ENC-BPK-LIST in PVP Attribute-Profile 2.1.3
+	  * 
+	  * @return
+	  */
+	 List<Pair<String, String>> getEncbPKList();
+	 
+	 /**
+	  * Get a List of Pair<Encrytped bPK, bPKTarget> for natural-person mandates, where 
+	  * the bPKTarget is formated according to Section 3.2.7 ENC-BPK-LIST in PVP Attribute-Profile 2.1.3
+	  * 
+	  * @return
+	  */
+	 List<Pair<String, String>> getEncMandateNaturalPersonbPKList();
+		 
      byte[] getSignerCertificate();
 	 String getAuthBlock();	 
 	 boolean isPublicAuthority();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java
index c1545f354..897a06e62 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java
@@ -29,6 +29,7 @@ import java.util.List;
 import org.w3c.dom.Element;
 
 import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData;
 import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
 import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionAttributeExtractorExeption;
@@ -54,8 +55,10 @@ public class MOAAuthenticationData extends AuthenticationData implements IMOAAut
 	private byte[] signerCertificate = null;
 	private String authBlock = null;	
 	private String QAALevel = null;
-	private List<String> encbPKList;
-
+	
+	private List<Pair<String, String>> encbPKList;
+	private List<Pair<String, String>> encMandateNaturalPersonbPKList;
+	
 	//ISA 1.18 attributes
 	private List<AuthenticationRole> roles = null;
 	private String pvpAttribute_OU = null;
@@ -106,9 +109,9 @@ public class MOAAuthenticationData extends AuthenticationData implements IMOAAut
 	}
 
 	@Override
-	public List<String> getEncbPKList() {
+	public List<Pair<String, String>> getEncbPKList() {
 		if (this.encbPKList == null)
-			this.encbPKList = new ArrayList<String>();
+			this.encbPKList = new ArrayList<Pair<String, String>>();
 		
 		return this.encbPKList;
 	}
@@ -293,10 +296,27 @@ public class MOAAuthenticationData extends AuthenticationData implements IMOAAut
 	}
 	
 	/**
+	 * Set a List of encrypted bPKs where each List element is formated according 
+	 * to Section 3.2.7 ENC-BPK-LIST in PVP Attribte-Profile 2.1.3 
+	 * 
 	 * @param encbPKList the encbPKList to set
 	 */
 	public void setEncbPKList(List<String> encbPKList) {
-		this.encbPKList = encbPKList;
+		if (encbPKList != null) {
+			for (String el : encbPKList) {
+				Logger.trace("Processing foreign bPK string: " + el );
+				int index = el.indexOf("|");								 
+				if (index >= 0) {
+					String encbPK = el.substring(index+1);
+					String second = el.substring(0, index);										
+					getEncbPKList().add(Pair.newInstance(encbPK, second));
+										
+				} else
+					Logger.info("Foreign bPK: " + el + " is misformatted. Ignore it");
+				
+			}
+						
+		}				
 	}
 	
 	
@@ -336,5 +356,19 @@ public class MOAAuthenticationData extends AuthenticationData implements IMOAAut
 	  public void setIseIDNewDemoMode(boolean iseIDNewDemoMode) {
 		  this.iseIDNewDemoMode = iseIDNewDemoMode;
 	  }
+
+	public List<Pair<String, String>> getEncMandateNaturalPersonbPKList() {
+		if (this.encMandateNaturalPersonbPKList == null)
+			this.encMandateNaturalPersonbPKList = new ArrayList<Pair<String, String>>();
+		
+		return this.encMandateNaturalPersonbPKList;
+		
+	}
+
+	public void setEncMandateNaturalPersonbPKList(List<Pair<String, String>> encMandateNaturalPersonbPKList) {
+		this.encMandateNaturalPersonbPKList = encMandateNaturalPersonbPKList;
+	}
+	  
+	  
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKListAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKListAttributeBuilder.java
index ec8c7629f..c5a8d88b7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKListAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKListAttributeBuilder.java
@@ -18,7 +18,9 @@ public class BPKListAttributeBuilder extends BPKAttributeBuilder implements IPVP
 	
 	private static final Logger log = LoggerFactory.getLogger(BPKListAttributeBuilder.class);
 	
-	protected static final String DELIMITER_BPK_LIST = ";";
+	public static final String DELIMITER_BPK_LIST = ";";
+	public static final String LIST_ELEMENT_START = "(";
+	public static final String LIST_ELEMENT_END = ")";
 	
 	public String getName() {
 		return BPK_LIST_NAME;
@@ -26,16 +28,18 @@ public class BPKListAttributeBuilder extends BPKAttributeBuilder implements IPVP
 	
 	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeBuilderException {
-		String result = getBpkForSP(authData);
+		String result = LIST_ELEMENT_START + getBpkForSP(authData) + LIST_ELEMENT_END;
 		
 		//add additional bPKs if someone are available
 		if (authData.getAdditionalbPKs() != null && !authData.getAdditionalbPKs().isEmpty()) {
 			log.info("Adding additional bPKs into bPK attribute");
 			for (Pair<String, String> el : authData.getAdditionalbPKs()) {
 				result += DELIMITER_BPK_LIST 
-							+ removeBpkTypePrefix(el.getSecond()) 
-							+ DELIMITER_BPKTYPE_BPK 
-							+ attrMaxSize(el.getFirst());
+							+ LIST_ELEMENT_START 
+								+ removeBpkTypePrefix(el.getSecond()) 
+								+ DELIMITER_BPKTYPE_BPK 
+								+ attrMaxSize(el.getFirst())
+							+ LIST_ELEMENT_END;
 				
 			}
 			log.trace("Authenticate user with bPK-List: " + result);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
index 44043ec40..bf7187e51 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
@@ -28,6 +28,7 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
 import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
 import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
 import at.gv.egovernment.moa.id.data.IMOAAuthData;
 import at.gv.egovernment.moa.logging.Logger;
@@ -35,6 +36,8 @@ import at.gv.egovernment.moa.logging.Logger;
 @PVPMETADATA
 public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 	
+	public static final String DELIMITER_ENCBPK_TARGET = "|";
+	
 	public String getName() {
 		return ENC_BPK_LIST_NAME;
 	}
@@ -45,12 +48,22 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 		if (authData instanceof IMOAAuthData) {
 			if (((IMOAAuthData)authData).getEncbPKList() != null &&
 					((IMOAAuthData)authData).getEncbPKList().size() > 0) {
-				String value = ((IMOAAuthData)authData).getEncbPKList().get(0);
-				for (int i=1; i<((IMOAAuthData)authData).getEncbPKList().size(); i++)
-					value += ";"+((IMOAAuthData)authData).getEncbPKList().get(i);			
+				Pair<String, String> value = ((IMOAAuthData)authData).getEncbPKList().get(0);				
+				String result = BPKListAttributeBuilder.LIST_ELEMENT_START 
+									+ value.getSecond() + DELIMITER_ENCBPK_TARGET +  value.getFirst() 
+								+ BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+				for (int i=1; i<((IMOAAuthData)authData).getEncbPKList().size(); i++) {
+					Pair<String, String> el = ((IMOAAuthData)authData).getEncbPKList().get(i);					
+					result += BPKListAttributeBuilder.DELIMITER_BPK_LIST 
+								+ BPKListAttributeBuilder.LIST_ELEMENT_START 
+									+ el.getSecond() + DELIMITER_ENCBPK_TARGET +  el.getFirst() 
+								+ BPKListAttributeBuilder.LIST_ELEMENT_END;		
+					
+				}
 			
 				return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, 
-						value);
+						result);
 			
 			}
 			
@@ -59,16 +72,6 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 		
 		throw new UnavailableAttributeException(ENC_BPK_LIST_NAME);
 		
-//		String encbpk = "XXX01234567890XXX";
-//		String type = "Bereich";
-//		String vkz = "Verfahrenskennzeichen";
-//		
-//		//TODO: implement encrypted bPK support
-//		
-//		Logger.trace("Authenticate user with encrypted bPK " + vkz + "+" + type + "|" + encbpk);
-//		
-//		return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, 
-//				vkz + "+" + type + "|" + encbpk);
 	}
 	
 	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index f67f79dcf..4d41cc19b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -22,11 +22,13 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.builder.attributes;
 
+import org.apache.commons.lang3.StringUtils;
 import org.w3c.dom.Element;
 
 import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
 import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
@@ -36,9 +38,9 @@ import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.BPKAttributeBuilder;
 import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
-import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.data.IMOAAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
@@ -57,42 +59,10 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeBuilderException {						
 		try {			
-			Pair<String, String> calcResult = internalBPKGenerator((IOAAuthParameters)oaParam, authData);
-			if (calcResult != null) {					
-				String bpk = calcResult.getFirst();
-				String type = calcResult.getSecond();
-				
-				if (MiscUtil.isEmpty(bpk))
-					throw new UnavailableAttributeException(BPK_NAME);
-				
-				if (type != null) {	
-					if (type.startsWith(Constants.URN_PREFIX_WBPK))
-						type = type.substring((Constants.URN_PREFIX_WBPK + "+").length());
-				
-					else if (type.startsWith(Constants.URN_PREFIX_CDID)) 
-						type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
-				
-					else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) 
-						type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
-					
-				} else {
-					Logger.debug("bPK type is 'null' --> use it as it is");
-					
-				}
-				
-				if (bpk.length() > BPK_MAX_LENGTH) {
-					bpk = bpk.substring(0, BPK_MAX_LENGTH);
-				}
-				
-				Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type);
-				
-				if (type != null)
-					return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, type + ":" + bpk);
-				else
-					return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
-			
-			}
-			
+			String bPKResult = getBpkAttributeStringForSP(oaParam, authData);
+			if (StringUtils.isNoneEmpty(bPKResult))
+				return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bPKResult);
+						
 		}
 		catch (BuildException | ConfigurationException | EAAFBuilderException e) {
 			Logger.error("Failed to generate IdentificationType");
@@ -103,12 +73,109 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 		return null;
 		
 	}
-	
+		
 	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
 		return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME);
 	}
 	
-	protected Pair<String, String> internalBPKGenerator(ISPConfiguration oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException, EAAFBuilderException {		
+	protected Pair<String, String> getBpkForSp(ISPConfiguration oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException, EAAFBuilderException {
+		Pair<String, String> baseId = getBaseIdFromMandate(oaParam, authData);
+		Pair<String, String> bPKResult = null;
+		
+		if (baseId != null) {			
+			if (baseId.getSecond() != null && baseId.getSecond().equals(Constants.URN_PREFIX_BASEID))									
+				bPKResult  = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseId.getFirst(), 
+						oaParam.getAreaSpecificTargetIdentifier());								
+			else {
+				Logger.debug("No BaseId target in mandate. Use it as it is ... ");
+				bPKResult = Pair.newInstance(baseId.getFirst(), null);
+			
+			}
+		}
+		
+		return bPKResult;
+		
+	}
+	
+	
+	/**
+	 * Generate the bPK String for this specific SP
+	 * 
+	 * @param oaParam
+	 * @param authData
+	 * @return
+	 * @throws UnavailableAttributeException
+	 * @throws EAAFBuilderException 
+	 * @throws ConfigurationException 
+	 * @throws BuildException 
+	 * @throws NoMandateDataAttributeException 
+	 */
+	protected String getBpkAttributeStringForSP(ISPConfiguration oaParam, IAuthData authData) throws UnavailableAttributeException, EAAFBuilderException, NoMandateDataAttributeException, BuildException, ConfigurationException {				
+		Pair<String, String> bPKResult = getBpkForSp(oaParam, authData);
+		if (bPKResult != null) {					
+			String bpk = bPKResult.getFirst();
+			String type = bPKResult.getSecond();
+			
+			if (MiscUtil.isEmpty(bpk))
+				throw new UnavailableAttributeException(BPK_NAME);
+			
+			if (type != null)
+				type = removeBpkTypePrefix(type);					
+			else
+				Logger.debug("bPK type is 'null' --> use it as it is");
+								
+			bpk = attrMaxSize(bpk);
+			
+			Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type);
+			
+			if (type != null)
+				return type + BPKAttributeBuilder.DELIMITER_BPKTYPE_BPK + bpk;
+			else
+				return bpk;
+		
+		}
+		
+		return null;
+		
+	}
+	
+	
+	/**
+	 * Limit the attribute value to maximum size
+	 * 
+	 * @param attr
+	 * @return
+	 */
+	protected String attrMaxSize(String attr) {
+		if (attr != null && attr.length() > BPK_MAX_LENGTH) {
+			attr = attr.substring(0, BPK_MAX_LENGTH);
+		}
+		return attr;
+		
+	}
+	
+	/**
+	 * Remove bPKType prefix if available
+	 * 
+	 * @param type
+	 * @return
+	 */
+	protected String removeBpkTypePrefix(String type) {
+		if (type.startsWith(EAAFConstants.URN_PREFIX_WBPK))
+			return type.substring((EAAFConstants.URN_PREFIX_WBPK).length());
+		
+		else if (type.startsWith(EAAFConstants.URN_PREFIX_CDID)) 
+			return type.substring((EAAFConstants.URN_PREFIX_CDID).length());
+		
+		else if (type.startsWith(EAAFConstants.URN_PREFIX_EIDAS)) 
+			return type.substring((EAAFConstants.URN_PREFIX_EIDAS).length());
+		
+		else
+			return type;
+		
+	}
+	
+	protected Pair<String, String> getBaseIdFromMandate(ISPConfiguration oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException, EAAFBuilderException {		
 		//get PVP attribute directly, if exists 
 		Pair<String, String> calcResult = null;
 		if (authData instanceof IMOAAuthData) {
@@ -136,13 +203,8 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 						Logger.info("Failed to generate IdentificationType");
 						throw new NoMandateDataAttributeException();
 					}
-				
-									
-					if (id.getType().equals(Constants.URN_PREFIX_BASEID))									
-						calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), 
-								oaParam.getAreaSpecificTargetIdentifier());								
-					else
-						calcResult = Pair.newInstance(id.getValue().getValue(), id.getType());
+													
+					calcResult = Pair.newInstance(id.getValue().getValue(), id.getType());
 	
 				
 				} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKListAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKListAttributeBuilder.java
new file mode 100644
index 000000000..fd00e2f61
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKListAttributeBuilder.java
@@ -0,0 +1,83 @@
+
+package at.gv.egovernment.moa.id.protocols.builder.attributes;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.BPKAttributeBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+
+@PVPMETADATA
+public class MandateNaturalPersonBPKListAttributeBuilder extends MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBuilder {
+			
+	public String getName() {
+		return MANDATE_NAT_PER_BPK_LIST_NAME;
+	}
+	
+	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeBuilderException {
+		
+		try {
+			String result = getBpkAttributeStringForSP(oaParam, authData);
+		
+			if (result != null) {
+				result = BPKListAttributeBuilder.LIST_ELEMENT_START + result + BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+				//add additional bPKs if someone are available
+				if (authData.getAdditionalbPKs() != null && !authData.getAdditionalbPKs().isEmpty()) {			
+					Logger.info("Additional bPKs available. Calculate additional bPKs for mandate ... ");			
+					Pair<String, String> baseId = getBaseIdFromMandate(oaParam, authData);			
+					if (baseId != null && StringUtils.isNotEmpty(baseId.getSecond()) 
+							&& baseId.getSecond().equals(Constants.URN_PREFIX_BASEID)) {			
+						for (Pair<String, String> el : authData.getAdditionalbPKs()) {
+							
+							Pair<String, String> addBpk = 
+									new BPKBuilder().generateAreaSpecificPersonIdentifier(
+											baseId.getFirst(), 
+											el.getSecond());	
+							
+							Logger.trace("Calculate bPK with " + addBpk.toString());
+							
+							result += BPKListAttributeBuilder.DELIMITER_BPK_LIST 
+										+ BPKListAttributeBuilder.LIST_ELEMENT_START 
+											+ removeBpkTypePrefix(addBpk.getSecond()) 
+											+ BPKAttributeBuilder.DELIMITER_BPKTYPE_BPK 
+											+ attrMaxSize(addBpk.getFirst())
+										+ BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+						}
+					}
+				}
+		
+				Logger.trace("Authenticate user with List of bPK/wbPK: " + result + " for mandate");		
+				return g.buildStringAttribute(MANDATE_NAT_PER_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_LIST_NAME, result);
+			
+			}
+			
+			return null;
+			
+		} catch (BuildException | ConfigurationException | EAAFBuilderException e) {
+			Logger.error("Failed to generate IdentificationType");
+			throw new NoMandateDataAttributeException();
+				
+		}
+		
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_LIST_NAME);
+	}
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonEncBPKListAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonEncBPKListAttributeBuilder.java
new file mode 100644
index 000000000..220ccd94e
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonEncBPKListAttributeBuilder.java
@@ -0,0 +1,62 @@
+
+package at.gv.egovernment.moa.id.protocols.builder.attributes;
+
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
+import at.gv.egovernment.moa.id.data.IMOAAuthData;
+import at.gv.egovernment.moa.logging.Logger;
+
+@PVPMETADATA
+public class MandateNaturalPersonEncBPKListAttributeBuilder implements IPVPAttributeBuilder {
+			
+	public String getName() {
+		return MANDATE_NAT_PER_ENC_BPK_LIST_NAME;
+	}
+	
+	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeBuilderException {
+		
+		if (authData instanceof IMOAAuthData) {			
+			if (((IMOAAuthData) authData).isUseMandate()) {			
+				if (((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList() != null &&
+						((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().size() > 0) {
+					Pair<String, String> value = ((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().get(0);				
+					String result = BPKListAttributeBuilder.LIST_ELEMENT_START 
+										+ value.getSecond() + EncryptedBPKAttributeBuilder.DELIMITER_ENCBPK_TARGET +  value.getFirst() 
+									+ BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+					for (int i=1; i<((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().size(); i++) {
+						Pair<String, String> el = ((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().get(i);					
+						result += BPKListAttributeBuilder.DELIMITER_BPK_LIST 
+									+ BPKListAttributeBuilder.LIST_ELEMENT_START 
+										+ el.getSecond() + EncryptedBPKAttributeBuilder.DELIMITER_ENCBPK_TARGET +  el.getFirst() 
+										+ BPKListAttributeBuilder.LIST_ELEMENT_END;		
+					
+					}
+			
+					return g.buildStringAttribute(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_ENC_BPK_LIST_NAME, 
+							result);
+			
+				}
+				
+			} else
+				Logger.trace(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME + " is only availabe if mandates are used");
+						
+		} else
+			Logger.info(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME + " is only available in MOA-ID context");
+		
+		throw new UnavailableAttributeException(MANDATE_NAT_PER_ENC_BPK_LIST_NAME);
+		
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_ENC_BPK_LIST_NAME);
+	}
+		
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
index 32b45a595..88648b56e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.No
 import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
 
+@Deprecated
 @PVPMETADATA
 public class MandateNaturalPersonSourcePinAttributeBuilder  implements IPVPAttributeBuilder {
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
index 90a0d61c9..223994e6e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.No
 import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
 
+@Deprecated
 @PVPMETADATA
 public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAttributeBuilder  {
 
diff --git a/id/server/idserverlib/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder b/id/server/idserverlib/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder
index b4e62a344..a10b9b3e0 100644
--- a/id/server/idserverlib/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder
+++ b/id/server/idserverlib/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder
@@ -21,3 +21,5 @@ at.gv.egovernment.moa.id.protocols.builder.attributes.MandateTypeAttributeBuilde
 at.gv.egovernment.moa.id.protocols.builder.attributes.MandateTypeOIDAttributeBuilder
 at.gv.egovernment.moa.id.protocols.builder.attributes.HolderOfKey
 at.gv.egovernment.moa.id.protocols.builder.attributes.BPKListAttributeBuilder
+at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBPKListAttributeBuilder
+at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonEncBPKListAttributeBuilder
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java
index 1ea057186..c3420d833 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java
@@ -10,6 +10,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
 import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
@@ -72,14 +73,14 @@ public class AuthenticationDataBuilderTest {
 			throw new Exception("bPKType wrong");
 		
 		
-		List<String> foreignbPKs = authData.getEncbPKList();
+		List<Pair<String, String>> foreignbPKs = authData.getEncbPKList();
 		if (foreignbPKs.isEmpty())
 			throw new Exception("NO foreign bPK list is null");
 		
 		if (foreignbPKs.size() != 1)
 			throw new Exception("NO or MORE THAN ONE foreign bPK");
 		
-		if (!foreignbPKs.get(0).startsWith("(wbpk+FN+195738a|") && !(foreignbPKs.get(0).endsWith(")")))
+		if (!foreignbPKs.get(0).getSecond().equals("wbpk+FN+195738a") && !(foreignbPKs.get(0).getFirst().isEmpty()))
 			throw new Exception("foreign bPK has wrong prefix");
 				
 	}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
index 8e9d1e4f5..9779b0cf4 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
@@ -55,7 +55,9 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonF
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinTypeAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBPKAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBPKListAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBirthDateAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonEncBPKListAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonFamilyNameAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonGivenNameAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonSourcePinAttributeBuilder;
@@ -139,6 +141,8 @@ public final class OAuth20AttributeBuilder {
 		buildersMandate.add(new MandateNaturalPersonSourcePinAttributeBuilder());
 		buildersMandate.add(new MandateNaturalPersonSourcePinTypeAttributeBuilder());
 		buildersMandate.add(new MandateNaturalPersonBPKAttributeBuilder());
+		buildersMandate.add(new MandateNaturalPersonBPKListAttributeBuilder());
+		buildersMandate.add(new MandateNaturalPersonEncBPKListAttributeBuilder());
 		buildersMandate.add(new MandateNaturalPersonFamilyNameAttributeBuilder());
 		buildersMandate.add(new MandateNaturalPersonGivenNameAttributeBuilder());
 		buildersMandate.add(new MandateNaturalPersonBirthDateAttributeBuilder());
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
index 02577c110..e7280f847 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
@@ -198,7 +198,7 @@ public class SSOTransferAuthenticationData implements IMOAAuthData {
 	 * @see at.gv.egovernment.moa.id.data.IAuthData#getEncbPKList()
 	 */
 	@Override
-	public List<String> getEncbPKList() {
+	public List<Pair<String, String>> getEncbPKList() {
 		// TODO Auto-generated method stub
 		return null;
 	}
@@ -387,5 +387,11 @@ public class SSOTransferAuthenticationData implements IMOAAuthData {
 		return false;
 	}
 
+	@Override
+	public List<Pair<String, String>> getEncMandateNaturalPersonbPKList() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
 
 }
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 23d214d3e..64a4bae63 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -48,6 +48,7 @@ import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.EAAFException;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
@@ -75,6 +76,8 @@ import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.data.MOAAuthenticationData;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.BPKListAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.EncryptedBPKAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBPKListAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonEncBPKListAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.SimpleStringAttributeGenerator;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.logging.Logger;
@@ -352,26 +355,79 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 				
 				if (oaAttributes == null)
 					oaAttributes = new ArrayList<ExtendedSAMLAttribute>();
-								
-				String additionalBpks = new BPKListAttributeBuilder().build(
-						oaParam, 
-						authData, 
-						new SimpleStringAttributeGenerator());
-				Logger.trace("Adding additional bPKs: " + additionalBpks + " as attribute into SAML1 assertion ... ");
-				oaAttributes.add(new ExtendedSAMLAttributeImpl(
-						PVPAttributeDefinitions.BPK_LIST_FRIENDLY_NAME, additionalBpks,
-						Constants.MOA_NS_URI,
-						ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+
+				try {
+					String additionalBpks = new BPKListAttributeBuilder().build(
+							oaParam, 
+							authData, 
+							new SimpleStringAttributeGenerator());
+					if (MiscUtil.isNotEmpty(additionalBpks)) {
+						Logger.trace("Adding additional bPKs: " + additionalBpks + " as attribute into SAML1 assertion ... ");
+						oaAttributes.add(new ExtendedSAMLAttributeImpl(
+								PVPAttributeDefinitions.BPK_LIST_FRIENDLY_NAME, additionalBpks,
+								Constants.MOA_NS_URI,
+								ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+					
+					}
+				} catch (AttributeBuilderException e) {
+					Logger.info("Can NOT build additional bPKs. Reason: " + e.getMessage());
+					
+				}
 				
-				String encryptedBpks = new EncryptedBPKAttributeBuilder().build(
-						oaParam, 
-						authData, 
-						new SimpleStringAttributeGenerator());
-				Logger.trace("Adding foreign bPKs: " + encryptedBpks + " as attribute into SAML1 assertion ... ");
-				oaAttributes.add(new ExtendedSAMLAttributeImpl(
-						PVPAttributeDefinitions.ENC_BPK_LIST_FRIENDLY_NAME, encryptedBpks,
-						Constants.MOA_NS_URI,
-						ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+				try {
+					String encryptedBpks = new EncryptedBPKAttributeBuilder().build(
+							oaParam, 
+							authData, 
+							new SimpleStringAttributeGenerator());
+					if (MiscUtil.isNotEmpty(encryptedBpks)) {
+						Logger.trace("Adding foreign bPKs: " + encryptedBpks + " as attribute into SAML1 assertion ... ");
+						oaAttributes.add(new ExtendedSAMLAttributeImpl(
+								PVPAttributeDefinitions.ENC_BPK_LIST_FRIENDLY_NAME, encryptedBpks,
+								Constants.MOA_NS_URI,
+								ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+					
+					}
+				} catch (AttributeBuilderException e) {
+					Logger.info("Can NOT build additional foreign bPKs. Reason: " + e.getMessage());
+					
+				}
+				
+				//for mandates
+				try {
+					String additionalMandatorBpks = new MandateNaturalPersonBPKListAttributeBuilder().build(
+							oaParam, 
+							authData, 
+							new SimpleStringAttributeGenerator());
+					if (MiscUtil.isNotEmpty(additionalMandatorBpks)) {
+						Logger.trace("Adding additional Mandator bPKs: " + additionalMandatorBpks + " as attribute into SAML1 assertion ... ");
+						oaAttributes.add(new ExtendedSAMLAttributeImpl(
+								PVPAttributeDefinitions.MANDATE_NAT_PER_BPK_LIST_FRIENDLY_NAME, additionalMandatorBpks,
+								Constants.MOA_NS_URI,
+								ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+					
+					}
+				} catch (AttributeBuilderException e) {
+					Logger.info("Can NOT build additional Mandator bPKs. Reason: " + e.getMessage());
+					
+				}
+				
+				try {
+					String encryptedMandatorBpks = new MandateNaturalPersonEncBPKListAttributeBuilder().build(
+							oaParam, 
+							authData, 
+							new SimpleStringAttributeGenerator());
+					if (MiscUtil.isNotEmpty(encryptedMandatorBpks)) {
+						Logger.trace("Adding foreign Mandator bPKs: " + encryptedMandatorBpks + " as attribute into SAML1 assertion ... ");
+						oaAttributes.add(new ExtendedSAMLAttributeImpl(
+								PVPAttributeDefinitions.MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, encryptedMandatorBpks,
+								Constants.MOA_NS_URI,
+								ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+					
+					}
+				} catch (AttributeBuilderException e) {
+					Logger.info("Can NOT build foreign Mandator bPKs. Reason: " + e.getMessage());
+					
+				}
 								
 			}
 						
-- 
cgit v1.2.3