133 hits containing all of the term eIAM

eIAM Geo-Redundancy

… eIAM Geo-Redundancy Geo-Redundancy of … Geo-Redundancy Geo-Redundancy of eIAM The control over which data center is addressed for … The control over which data center is addressed for eIAM-Core is managed via DNS entries. Normally, the hostnam…ged via DNS entries. Normally, the hostnames (FQDN) of eIAM-Core point to the load balancers in Primus; after a sw…ut 30 minutes is to be expected during a switch. Under eIAM-Core, services 1–10 and 12 are grouped according to …-Core, services 1–10 and 12 are grouped according to eIAM Services . The service … Services . The service eIAM RP-PEP (Service 11) is treated separately because the …

eIAM Service Release Plan

… FOITT eIAM Service Release Plan ➽ Inclusion in … Service Release Plan ➽ Inclusion in eIAM distribution list for e-mail communication × Through t…stribution list for e-mail communication × Through the eIAM distribution list, you receive information emails from…ribution list, you receive information emails from the eIAM Release team. These include advance notices about rele…e installations. The distribution list is also used by eIAM Operations to send out incident information for daily …ions. Utilize this information channel and contact the eIAM Release Management Team at … Release Management Team at eIAM-Releases@bit.admin.ch if you wish to update your detai…

eIAM list of IdPs

… eIAM list of IdPs … list of IdPs eIAM mediates authentication services from various internal…sible for certain applications or specialised areas in eIAM. A special case that is rarely used are sector IdPs. T…

eIAM APIs

… eIAM APIs The use of these APIs with … APIs The use of these APIs with eIAM occurs when you cannot read all information from the a…ise or evaluate data in your business application with eIAM. API changes are communicated by the BIT 6 months in a…the application in case of interface changes after the eIAM integration MUST be ensured by the customer! In doing …! In doing so, the defined interface specifications of eIAM must be adhered to in a binding manner; these are not …his leads to an incompatibility between the target and eIAM and the target cannot be adapted (the willingness to d…etimes not given by SaaS providers), the connection to eIAM is at risk. Such applications should NOT be procured. …

eIAM Web GUI CH-Login Self-Registration

… eIAM Web GUI CH-LOGIN Self-Registration The CH-LOGIN IdP pr… CH-LOGIN IdP provides users of applications using the eIAM service with an identity provider for authentication b… have a stronger authentication means that the service eIAM supports. CH-LOGIN Self-Registration Description If th…e self-registration of the CH-LOGIN IdP in the service eIAM to create the identity of the user. After the user's s…d maintain these attributes about the user outside the eIAM service. CH-LOGIN Self-Registration URL The CH-LOGIN s…ication MUST be triggered on the user's request to the eIAM-Web PEP (the user must be directed to a URL in the pro…he IdP "CH-LOGIN". Interactive Home Realm Discovery on eIAM Trustbroker The CH-LOGIN IdP offers the user the possi…

Interface eIAM-WSG

… Interface eIAM-WSG The WS-Federation interface supports the integrati… applications based on the WS-Federation standard. The eIAM-Web PEP offers defined interfaces for this federation …ion protocol is used for this purpose. Overview of the eIAM-WSG solution, communication The scenario starts with a…e token (9). With the administration tools provided by eIAM, the customer is able to administrate with the differe…. Technical user Access to a web service interface via eIAM-WSG is regulated via the authorisation of technical us…t in the data reference point, which is provisioned to eIAM and is subject to a regulated lifecycle. As soon as th… the completion of the tech user can be requested from eIAM Operations using the form below. In addition to the co…

Functionality of the eIAM roles

… Functionality of the eIAM roles Once a user has been successfully authenticated,… successfully authenticated, the user's roles from the eIAM-AM (Access Management) are added to the application as…tion as attributes of the authentication tokens within eIAM. The only exception here is the "AuthOnly" onboarding …nboarding pattern, as the application does not use the eIAM-AM in this case. The …-AM in this case. The eIAM service offers a 2-stage role concept for access manag…r access management. The roles are administered in the eIAM-AM. A distinction is made between access roles and app…ribed for the respective protocol (SAML or OIDC) under eIAM Services 1 - Federation of identities . Access roles T…

eIAM selfadminPortal "MyAccount"

… eIAM selfadminPortal "MyAccount" The functionalities of the…selfadminPortal "MyAccount" The functionalities of the eIAM selfadminPortal "MyAccount" are part of CH-LOGIN. Curr…ilable for the existing Specialist community IdPs. The eIAM selfadminPortal "MyAccount" is an integral part of the…selfadminPortal "MyAccount" is an integral part of the eIAM service. The portal can be accessed directly, detached…ser can change their password or mutate their details. eIAM-MyAccount Self-administration User data with CH-LOGIN …

Working with eIAM

… Working with eIAM Working with … Working with eIAM The market service … The market service eIAM controls access to web applications, native mobile app…tration and protects them against unauthorised access. eIAM federates the electronic identities of different inter…ons and enforces the required authentication strength. eIAM enables single sign-on (SSO) across multiple applicati…ign-on (SSO) across multiple applications. Optionally, eIAM can provide the connected applications with statements…ccess management (authorisation system) corresponds to eIAM Service 7. …

Interface eIAM-AMW

… Interface eIAM-AMW (…-AMW (eIAM Access Clients Web GUI) In the … Access Clients Web GUI) In the eIAM service, identity and access management have been sepa…lf of offices. Access management is carried out in the eIAM-AM of the …-AM of the eIAM service. In the Access Management (AM) client, mainly …s. However, these attributes are only available within eIAM-AM and are not delivered to the application with the S… delivered to the application with the SAML assertion. eIAM-AM provides interfaces in the form of a web applicatio…

eIAM Backend

… eIAM Backend The HTTP header fields are components of the H… of the client as seen by the load balancer before the eIAM-Web PEP. If the client is accessed via several proxy s…this field. That is, the load balancer upstream of the eIAM-Web PEP can receive this HTTP header already delivered…oint of view) Source of the header Loadbalancer before eIAM-Web PEP Comment Header Name isiwebclientid Example 65c…ains an internal client id. A client is tracked by the eIAM-Web PEP by means of a a session cookie. The ClientID r…ains the same throughout the client's session with the eIAM-Web PEP. session with the …-Web PEP. session with the eIAM-Web PEP; Source of the header …

eIAM Customer Documentation

… eIAM Customer Documentation Service provider FOITT … Customer Documentation Service provider FOITT eIAM federates the electronic identities of different inter…rces the required authentication strength. Optionally, eIAM can provide the connected applications with statements… information of the IAM Services FCh DTI. Working with eIAM In the Working with … In the Working with eIAM directory, our existing customers will find all organi…g customers will find all organisational and technical eIAM documents that are required for ongoing operations. We…to this entry page in the respective operating manual. eIAM Services In the …

pdf Integration of OpenID Connect applications with eIAM

… Integration von OpenID Connect Applikationen mit eIAM …

API eIAM-RDM

… API eIAM-RDM …-RDM eIAM-RDM allows users to be invited into …-RDM allows users to be invited into eIAM using a REST (Representational State Transfer) API. RD…e person responsible for permissions in an office (cf. eIAM performance 6 under and … performance 6 under and eIAM-Video at minute 11). When using RDM, it is not a human… RDM, it is not a human who triggers the invitation in eIAM, but a machine (process in the business application). …, but a machine (process in the business application). eIAM sends the invited person an e-mail containing an invit…

eIAM-Glossar

… DE FR IT EN eIAM Glossary … Glossary eIAM Glossary This glossary contains the technical terms us…ary This glossary contains the technical terms used in eIAM. Unfortunately, you will currently find different tech…fferent technical terms and designations for identical eIAM services in the web documentation. We are continuously… recognise connections. FED-LOGIN and CH-LOGIN are two eIAM login procedures. The corresponding FAQs can be found …ities (BYOI) CH-LOGIN - Link AGOV identity (BYOI) with eIAM CH-LOGIN - Adding login factors to CH-LOGIN CH-LOGIN -…plications AGOV help AGOV Help (38 guides) add ✘ ✘   ✎ eIAM Übersicht …

eIAM staging rules (STS-PEP)

… eIAM Staging Rules (STS-PEP) Integrations with … Staging Rules (STS-PEP) Integrations with eIAM always take place in the reference environment. Direct…vironment. Direct integration of an application in the eIAM acceptance or production environment is not possible. … acceptance or production environment is not possible. eIAM Staging Rules From an … Staging Rules From an eIAM perspective, the following requirements must be met in…he following requirements must be met in order for the eIAM configuration of an application to be released from RE… of an application to be released from REF to the next eIAM instances (ABN/PROD): Application The URL of the appli…

eIAM staging rules (RP-PEP)

… eIAM Staging Rules (RP-PEP) Integrations with … Staging Rules (RP-PEP) Integrations with eIAM always take place in the reference environment. Direct… acceptance or production environment is not possible. eIAM Staging Rules From an … Staging Rules From an eIAM perspective, the following requirements must be met in…he following requirements must be met in order for the eIAM configuration of an application to be released from RE… of an application to be released from REF to the next eIAM instances (ABN/PROD): Application The load balancer en…er entry of the backend is network accessible from the eIAM server. the …

eIAM Services

… eIAM Services … Services eIAM Services The technical services and functions provided…vices The technical services and functions provided by eIAM are described here. Other sources of information Link …es of information Link to the GENERAL FUNCTIONALITY OF eIAM: …: eIAM Description of services Link to the … Description of services Link to the eIAM FACTSHEET (internal only): … FACTSHEET (internal only): eIAM Factsheet …

Integration-of-new-applications eIAM Customer Change Plan / CC . . .

… Integration-of-new-applications eIAM Customer Change Plan / CC Plan Background The … Customer Change Plan / CC Plan Background The eIAM Customer Change Plan defines the time windows for depl… for deploying customer applications in the respective eIAM stages (REFERENCE, ACCEPTANCE, and PRODUCTION). Thanks…ODUCTION). Thanks to the continuous development of the eIAM CI/CD (Continuous Integration/Continuous Deployment) p…s are now available. The new architecture setup of the eIAM service enables uninterrupted deployment, providing gr…your integration partner. Through coordination between eIAM Release Management and FOITT Change Management, it has…uration changes at any time in coordination with their eIAM integrator (SIE) from REFERENCE to PRODUCTION . STS-PE…

eIAM Support

… eIAM Support … Support eIAM Support Support Instructions for self-help We have cre…ities (BYOI) CH-LOGIN - Link AGOV identity (BYOI) with eIAM CH-LOGIN - Adding login factors to CH-LOGIN CH-LOGIN -… and your documents will always be up to date with the eIAM . Support Forms The principle of self-help applies to …set for users without smartcard Managed Techuser Forms eIAM offers the use and setup of "Managed Techusers". The T…husers". The Techusers are provided and managed by the eIAM Operations team according to the customer's order spec…re available: 1. Techusers to use the APIs provided by eIAM ▼ × This category of tech users is mainly used in auto…

Migration RP-PEP to STS In future, eIAM . . .

… Migration RP-PEP to STS In future, eIAM service 11: Reverse Proxy Policy Enforcement Point (RP…ty of ongoing operations and the ongoing costs for the eIAM customer (elimination of external components with incr…roxy? If your application is billed with the material "eIAM-STD-RP-PEP", it has been implemented with a reverse pr…een implemented with a reverse proxy. If the material "eIAM-No-RP-PEP" is still billed, then check in the MLR cust…been converted for billing in accordance with the 2022 eIAM pricing model. If you are unsure about your assessment…u are unsure about your assessment, please contact the eIAM integration team: … integration team: eIAM-Integrations@bit.admin.ch Commercial information Why a…

Access to the eIAM Admin Portal

… eIAM Admin Portal Access to the … Admin Portal Access to the eIAM Admin Portal Instance of the … Admin Portal Instance of the eIAM portal        Production PROD         Reception ABN   …D         Reception ABN         Reference REF     Link eIAM Portal Entry Panel … Portal Entry Panel eIAM Portal Entry Panel / Delegated management Change Subor…step links the data (permissions/roles) entered in the eIAM portal to the CH-LOGIN user account. Perform Onboardin…on successfully completed. User has been registered in eIAM Portal and has received Onboarding eMail. 1 Please ope…

eIAM dossier questions

… eIAM dossier questions We must always remember that it is a…tion on the one hand as a consumer of IAM services and eIAM on the other hand as a provider of IAM services. In or…ases of the application. Questionnaire By means of the eIAM dossier, we seek answers to a multitude of questions t…still needs to be verified by you as the customer. The eIAM team will of course be happy to help you with this. Or…ing and after the integration of your application with eIAM. It is important for …. It is important for eIAM to know the correct contact persons for queries, furth… phase. This makes communication much easier for us at eIAM and for you as a customer, and reduces administrative …

eIAM for native mobile app

… eIAM for native mobile apps … for native mobile apps eIAM is the central access and authorisation system of the …ode has been provided, demonstrating how to connect to eIAM via OpenID Connect (OIDC) for both iOS and Android. It… own apps to ensure smooth integration and support for eIAM. Check out the short video on this: Developing native …hort video on this: Developing native mobile apps with eIAM. Das im Video erwähnte CH-LOGIN wird durch AGOV abgelö…limitations in the user experience. Example of an OIDC eIAM login into an iOS mobile app This native app example i…o an iOS app . The app allows users to log in to three eIAM environments (REF/ABN/PROD) and displays token informa…

eIAM Access Request (ARQ)

… eIAM Access Request (ARQ) … Access Request (ARQ) eIAM AccessRequest Description The AccessRequest applicatio…form of a Web application to applications protected by eIAM. For applications within the networks of the Federal A…he networks of the Federal Administration, the call of eIAM-AccessRequest is automatically triggered by the absenc…etworks of the Federal Administration must call up the eIAM-AccessRequest themselves. They can do this via an HTTP… link within the application with which he can call up eIAM-Access. When implementing the link independently, part…y, particular attention must be paid to usability. The eIAM-AccessRequest application supports two use cases: In t…

Interface eIAM-LDS]

… Interface eIAM-LDS …-LDS eIAM-LDS enables the reading of user data via the Lightweig…works of the Federal Administration. For this purpose, eIAM makes the information on the users of an application a…ion available in a dedicated directory. System context eIAM-LDS …-LDS eIAM-AM: The …-AM: The eIAM-AM contains the accounts of the users. A subject can h… the accounts of the users. A subject can have several eIAM accounts in different clients in the …

cug pdf eIAM information event

… Link to eIAM information event …

cug pdf Swissmedic Case eIAM Use (pdf)

… Swissmedic Case eIAM Use (pdf) …

eIAM Automation and QA

… eIAM Automation (CI/CD) Continuous Integration | Continuous…egration | Continuous Delivery | Continuous Deployment eIAM Automation of Service Release & Application Integratio… of Service Release & Application Integrations The new eIAM automation platform will meet the following objectives…mation platform will meet the following objectives: An eIAM application integration via the REF/ABN/PROD instances… executed (detailed informations under: CC-PLan ). The eIAM service changes and new features can be introduced con…t of users for testing before it is activated for all. eIAM automation of service release & application integratio… integrations Application integration data sources The eIAM doser provides all data needed for the …

eIAM organisation and points of contact

… eIAM organisation and contact points Federal Chancellery DT…ints Federal Chancellery DTI Control and management of eIAM Mission: The FCh DTI represents the service recipients…). The FCh DTI is responsible for new requirements for eIAM and all governance issues. Responsibility: For governa…l governance issues. Responsibility: For governance of eIAM and new requirements. Responsible person, point of con…ment, collaboration and execution across the different eIAM teams. The Agile Release Train … teams. The Agile Release Train eIAM consists of: Schichtenmodell einer Tabelle Leadership …ner Tabelle Leadership Team of the Agile Release Train eIAM Mission: The ART leadership is responsible for the imp…

eIAM service level

… Working with eIAM eIAM service level The market service … service level The market service eIAM is offered as standard with the following service leve…e level parameters: Service times The service hours of eIAM are 24/7, from Monday to Sunday from 00h to 24h. Suppo…ay from 00h to 24h. Support hours The support hours of eIAM are 11/5, i.e. from Monday to Friday from 07h to 18h. …nd consultation process with important stakeholders of eIAM. Availability class The …. Availability class The eIAM service has the availability class VK3: max. Downtime …

Example SAML 2.0 AuthnRequest application - eIAM-Web PEP

… Exemple: SAML 2.0 AuthnRequest applikation – eIAM-Web PEP Case study SAML in PHP applications urn:…-Web PEP Case study SAML in PHP applications urn:eiam.admin.ch:sp:appl1 VZATkX0HltA7jWEelpSJ0TZMBZs= NxgpWq.…FnSPx Exemple: SAML 2.0 Response PEP – Application urn:eiam.admin.ch:pep:AMT Xl/x...S7w= IJtU...vA== MIIG...9Q== u…min.ch:pep:AMT Xl/x...S7w= IJtU...vA== MIIG...9Q== urn:eiam.admin.ch:pep:AMT rSi3...RBM= YsUe...LQ== MIIG...9Q== 1…

svg Process flow and control with link to stakeholder eIAM information

… Process flow and control with link to stakeholder eIAM information …

eIAM Support

… Working with eIAM eIAM Support Support for this market service is provided by… contact the BIT service desk. As third level support, eIAM Operations acts at the end of the support chain. The s…

Example SAML 2.0 AuthnRequest Application - eIAM-Web PEP]

…ermann Verena AMT de Active Directory https://idp-kerb-eiam-r.amt.admin.ch/auth/saml2/sso 01010101 AMT FIN Einkauf…

pptx Template Kickoff Meeting eIAM-Integration

… Template Kickoff Meeting eIAM-Integration …

pdf eIAM Service Release Traminer

… eIAM Service Release Traminer …

pdf eIAM Service Release Diolinoir

… eIAM Service Release Diolinoir …

pdf eIAM Service Release SR20-02

… eIAM Service Release SR20-02 …

pdf eIAM Service Release SR20-03

… eIAM Service Release SR20-03 …

pdf eIAM Service Release Chasselas

… eIAM Service Release Chasselas …

pdf eIAM Service Release Gamaret

… eIAM Service Release Gamaret …

pdf eIAM Service Release Pinot Noir

… eIAM Service Release Pinot Noir …

pdf eIAM Service Release Sauvignon Blanc

… eIAM Service Release Sauvignon Blanc …

pdf eIAM Service Release Cabernet Sauvignon

… eIAM Service Release Cabernet Sauvignon …

FAQ

…on communication between AGOV as identity provider and eIAM as the consumer of AGOV identities. The CH2A-Wizard as…rmation and requests will be sent via the mailing list eIAM-Releases@bit.admin.ch. We will also use this channel t…s business application owners. Please send an email to eIAM-Releases@bit.admin.ch if you would like to be added to…s or concerns, feel free to contact us at any time via eIAM-Releases@bit.admin.ch . Are there templates available …cation? ▼ × In addition to the interactions within the eIAM user flow, all necessary information is planned to be …lanned to be published on the information pages of the eIAM service (https://www.… service (https://www.eiam.swiss/), the …

AGOV-First backward compatibility of delivered claims

…provider or available for every user. 🟩 http://schemas.eiam.admin.ch/ws/ 2013/12/identity/claims/language Claim is… user. 🟥 Claim is no longer delivered 🟥 http://schemas.eiam.admin.ch/ws/ 2013/12/identity/claims/e-id/distinguishe…hedName Claim is no longer supported. 🟥 http://schemas.eiam.admin.ch/ws/ 2019/08/identity/claims/authLevel Claim i…thLevel Claim is no longer supported. 🟥 http://schemas.eiam.admin.ch/ws/ 2019/08/identity/claims/authnphonenumber …enumber Claim is no longer supported. 🟥 http://schemas.eiam.admin.ch/ws/ 2019/08/identity/claims/authnphonenumberV…erified Claim is no longer supported. 🟥 http://schemas.eiam.admin.ch/ws/ 2019/08/identity/claims/emailVerified Cla…ion.Subject.NameID The claim is delivered based on the eIAM identity. Applications with legacy integrations that u…

SR-Liskamm

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap FCh-DTI. Please direct you…e REF:      ⇨ 15.07.2025 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 13.08.2025 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:    ⇨ 13.08.2025 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 07.09.2025 ↴ Sunday ⚒ Final Inspection ❎❎ …PROD:  ⇨ 07.09.2025 ↴ Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations CH2A Phase AGOV-First in REFEREN…s of an application Single sign-on (SSO) for access to eIAM MyAccount has been discontinued Regression testing by … MyAccount has been discontinued Regression testing by eIAM customers Your cooperation is necessary and very impor… be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the…

Overview of all SR-Notes

… eIAM Service Release Notes In the release notes, you will f…tes In the release notes, you will find changes to the eIAM service as well as new functions. 07.09.2025 - … service as well as new functions. 07.09.2025 - eIAM Service Release Liskamm (Draft) 06.07.2025 - … Service Release Liskamm (Draft) 06.07.2025 - eIAM Service Release Lenzspitze 04.05.2025 - … Service Release Lenzspitze 04.05.2025 - eIAM Service Release Lauteraarhorn 16.02.2025 - … Service Release Lauteraarhorn 16.02.2025 - eIAM Service Release Jungfrau 03.11.2024 - … Service Release Jungfrau 03.11.2024 - eIAM Service Release Hohberghorn 08.09.2024 - …

CH-LOGIN to AGOV (CH2A)

…ment" standard service operated by the FOITT - part of eIAM is username and password free thanks to the use of new…

SR-Lenzspitze

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap FCh-DTI. Please direct you… ➽ SW updates & AGOV-First ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 11.06.2025 ↴     ➽ SW updates only ⚒ Regr…25 ↴     ➽ SW updates only ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 06.07.2025        ➽ SW updates only Sunday…    ➽ SW updates only Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations New SW versions for the … Changes - Innovations New SW versions for the eIAM components (REF to PROD) AGOV-First (REF environment o…GOV-First (REF environment only) Regression testing by eIAM customers Your cooperation is necessary and very impor… be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the…

Bring your own identity (BYOI)

…Multi-Profile and Multi-ID The same eID can be used in eIAM for several target applications, several corporate con…its) and several profiles within a target application; eIAM shows the corresponding unit and profile selections. T…identity acquired on the market, if it is approved for eIAM eIAM list of IdPs . In future, it will be possible to bundl…

Use of credentials

…ming logins with different credentials It follows from eIAM services 1 and 2 that logins (user logins) are not per…es, but by an internal or external IdP associated with eIAM. This is an important security aspect of the federatio…ty aspect of the federation between identity provider, eIAM and target applications: The login is always performed…y (QoA) a target application accepts is defined in the eIAM dossier at the integration project per target applicat…lication. Infolink regarding the IdPs can be found at: eIAM list of IdPs Infolink regarding the QoA concept can be…

SAML Attributes

…om different sources in the federative architecture of eIAM. On the one hand, attributes can originate directly fr…, on the other hand, attributes can originate from the eIAM-AM. The …-AM. The eIAM Trustbroker enriches the SAML assertion of the IdP wit…the SAML assertion of the IdP with attributes from the eIAM-AM. Overview of the most important attributes The foll…ity/claims/name" This identifier identifies the user's eIAM account in the … account in the eIAM root client for multi-client platforms (e.g. CMS FOITT…ssertion AFTER a user has made an access request to an eIAM application for the first time. Since the attribute ma…

BTB SSO Groups

…tomer/partner fills out the official form (link in the eIAM dossier) and uploads it to the relevant … dossier) and uploads it to the relevant eIAM dossier Approval from all relevant ISBOs must be obtai…d upload to the dossier Approval from relevant ISBO(s) eIAM INT can assist with identifying relevant ISBOs and gro… existing group No new form required All stakeholders (eIAM INT, ISBOs, application owners) must be informed Techn…

Service Provider First

…der First (SP-First) The process of authentication via eIAM The Service Provider First pattern applies." Service P… The target application forwards the user's browser to eIAM for the purpose of authenticating the user. … for the purpose of authenticating the user. eIAM now forwards the user's browser to an identity provide…e browser is routed back to the target application via eIAM. On this way, the original authentication token of the…ginal authentication token of the identity provider of eIAM is exchanged by an … is exchanged by an eIAM authentication token, enriched with data from the user…token, enriched with data from the user's root account eIAMs in root clients as well as the user record in the …

This category of tech users is mainly . . .

…ch users is mainly used in automatic user management . eIAM offers 2 APIs for this purpose a SOAP interface for di…ess to the user management in NevisIDM (see details on eIAM-AMW ), as well as a REST interface via which the funct…ed management can be used as a service (see details on eIAM-RDM ). Please note the following necessary preparation…

This category of tech user is primarily . . .

…er (provider) communication via a web service gateway. eIAM offers the … offers the eIAM Web Service Gateway (… Web Service Gateway (eIAM-WSG) for authentication. Details on this service can b…uthentication. Details on this service can be found at eIAM-WSG . Please note the following necessary preparations…t in the data reference point, which is provisioned to eIAM and is subject to a regulated lifecycle. The following…

This category is used in automated testing, . . .

… in automated testing, monitoring and data processing. eIAM offers 4 account types of managed "techusers" for the …ypes of managed "techusers" for the interactive use of eIAM service via web UI, especially for the login to office…counts, which are personal. Important Please note that eIAM Operations only ensures that the tech users including …

Requirement on the Web Browsers SAML-Tracer

…rowsers Technical requirement for the web browsers The eIAM solution requires the latest versions of the browsers,…

GKA authorises BVA

…ach user application) contains the E-Mail generated by eIAM with the user's request information. E-Mail with the u…riction of the BVA or AppOwner role to the client . In eIAM-IDM, a client is broadly understood to be the entire o…the Access Management unit . In the current version of eIAM AccessManagement, a trivial organisation is implemente…ed "AccessRequest" (user profile filing with the First eIAM User AccessRequest). It is the GKA's task to authorise…

Application Technical Requirements

…rements so that it can be integrated with the standard eIAM service. Encrypted data transmission The entire data t…ransport Layer. In order to enable the WAF features of eIAM and the reverse proxy functionality, the encryption be… broken on the load balancer before the WAF and on the eIAM-Web PEP and a new, also encrypted connection must be e…ess To enable the integration of applications into the eIAM service, requirements are placed on the so-called prox…nal effort and can thus be integrated into the service eIAM. Whether a web application is proxy-aware can be found… requirements are mandatory for applications used with eIAM. Note Is not a requirement of …. Note Is not a requirement of eIAM for applications outside the networks of the Federal A…

SR-Eiger

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI. Please note that date…e REF:      ⇨ 27.02.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 20.03.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:    ⇨ 20.03.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 21.04.2024 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 21.04.2024 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations FED-LOGIN - Support for multiple…ral change for OIDC integrations Migrations to the new eIAM CI/CD automation platform Regression testing by … CI/CD automation platform Regression testing by eIAM customers Your cooperation is necessary and very impor… be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the…

SR-Castor

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI. Please note that date…date REF:   ⇨ 03.10.2023 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:   ⇨ 18.10.2023 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:   ⇨ 18.10.2023 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 05.11.2023 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 05.11.2023 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations Architecture change for OIDC int…N and HIN-EPR new federation architecture Readdressing eIAM Web Service Interface Sending e-mails from … Web Service Interface Sending e-mails from eIAM Migrations to the new … Migrations to the new eIAM CI/CD automation platform Regression testing by …

Warmup

… any time? and many other issues more... Identities in eIAM An authenticating identity points to exactly one feder…ave 0-n roles assigned (0:n). Through integration with eIAM The integration of your application with the service … The integration of your application with the service eIAM of the IKT-SD IAM V2 of the Federal Administration rel…y authenticate users via standardised tokens issued by eIAM to recognise the identity of the accessing subject. It…a Reverse Proxy Policy Enforcement Point (RP-PEP) from eIAM provide policy compliant access to their application i…

Session Setup SAML 2.0 with RP-PEP

… Session Setup SAML 2.0 with RP-PEP Basically, eIAM distinguishes between two types of sessions. The sessi…er. It delegates the authentication of the user to the eIAM Trustbroker as Federation Provider (FP) , which in tur…Provider (IdP) defined for the called application. The eIAM Trustbroker has access to the Attribute Provider (AP) … Trustbroker has access to the Attribute Provider (AP) eIAM-AM , which holds the roles and other attributes of the…ser in a selfsubmitting HTML form with the destination eIAM Trustbroker. With this form, the URL that the user ori…cally sends the HTML form with the AuthnRequest to the eIAM Trustbroker via Java Script. The … Trustbroker via Java Script. The eIAM-Trustbroker checks whether the AuthnRequest originates…

SR-Finsteraarhorn

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI. Please note that date…e REF:      ⇨ 29.04.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 29.05.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:    ⇨ 29.05.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 07.07.2024 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 07.07.2024 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations FED-LOGIN - Support of Access Ap…GIN - New behaviour for PW Reset Regression testing by eIAM customers Your cooperation is necessary and very impor… be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the…lp you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a sourc…

SR-Dufourspitze

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI. Please note that date…date REF:   ⇨ 28.11.2023 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:   ⇨ 18.01.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:   ⇨ 18.01.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 11.02.2024 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 11.02.2024 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations FED-LOGIN Usernameless/Passwordl…ral change for OIDC integrations Migrations to the new eIAM CI/CD automation platform Regression testing by … CI/CD automation platform Regression testing by eIAM customers Your cooperation is necessary and very impor… be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the…

Consistency-Checker (Enforcer)

… Consistency-Checker (Enforcer) Initial situation eIAM user master data and the recognition of users (special…ess). The data describing a user who authenticates via eIAM mainly consists of first name, last name and e-mail ad…n, there are technical identifiers in the sense of an "eIAM account number", e.g. the federatedID (VerbundID), whi…ended by the FOITT, but it is a common way. Definition eIAM "Root Account" and "Access Account" In … "Root Account" and "Access Account" In eIAM there is only one root account per authenticated ident…transferred to the target application at runtime using eIAM authentication tokens. Identities in … authentication tokens. Identities in eIAM & Units, Profiles and Roles Synchronisation of user ma…

Session setup SAML 2.0 with STS-PEP

…tween the user's web browser and the application using eIAM STS-PEP. SP initiated Web SSO - Introduction When proc…SSO scenario was chosen for connecting applications to eIAM because it offers some weighty advantages over other m…AuthnRequest signed by itself for the attention of the eIAM Trustbroker. This is embedded in a self-transmitting H… SAML AuthnRequest of the STS-PEP via HTTP POST to the eIAM-Trust Broker. The …-Trust Broker. The eIAM Trustbroker checks the SAML AuthnRequest for validity …comes from a trusted STS-PEP. If this is the case, the eIAM Trustbroker starts the so-called Home Realm Discovery.… the identity provider to be used via HTTP POST to the eIAM trust broker. The …

Identity provider (IdP)

…providers AGOV, CH-LOGIN, SG-PKI, Kerberos, MDM) AGOV: eIAM provides the electronic identity www.agov.ch for citiz… quality. Cantons and their municipalities can use the eIAM identity provider "AGOV" by connecting their applicati…ministration uses AGOV exclusively via the IAM system "eIAM". CH-LOGIN: CH-LOGIN is the predecessor of AGOV and wi…c identities from the SG-PKI (SG-PKI) are available in eIAM. identities from the SG-PKI (Swiss Government Public K…ernment Public Key Infrastructure) can also be used in eIAM for employees of the Federal Administration and SG-PKI…

Use of Reverse Proxy

…rize access using a coarse grained role (.ALLOW-role). eIAM integration with RP-PEP and Access Management Standard…s according to Si001 will require the use of a RP-PEP. eIAM distinguishes different authentication strengths accor…s according to . According to the current zone policy, eIAM only allows QoA min. 50 for SZ+ and BV network. Si001 …tion at the zone transition. It does not have to be an eIAM RP-PEP. … RP-PEP. eIAM distinguishes different authentication strengths accor…s according to . According to the current zone policy, eIAM only allows QoA min. 50 for SZ+ and BV network. Resour…the SZ (not SZ+) must be able to be exposed without an eIAM RP-PEP. The use of …

SAML 2.0 Integrationpattern STS-PEP (Default)

…b application. The application is not protected by the eIAM web component. The HTTP requests travel directly betwe…rowser and the application without passing through the eIAM-Web PEP. …-Web PEP. eIAM is only used for authenticating the user and as a prov…plication issues a signed SAML 2.0 AuthnRequest to the eIAM-Web PEP and sends it as a self-transmitting form to th…form to the user's web browser. 3 SAML AuthnRequest to eIAM-Web PEP The user's browser automatically sends the for…The user's browser automatically sends the form to the eIAM-Web PEP via browser POST using Javascript. 4 SAML Auth…ascript. 4 SAML AuthnRequest to user's web browser The eIAM-Web PEP checks whether a session already exists with t…

Requirements for the URLs of the application

…ts for the URLs of the application Compliance with the eIAM requirements for URLs is mandatory for applications th…he URL. Entry Point FQDN The naming of the FQDN on the eIAM-Web PEP is basically specified: …-Web PEP is basically specified: eIAM PEP External (federal administrative network, cantonal…dministrative network, cantonal network and Internet). eIAM instance FQDN Production (PRO) www.gate. .admin.ch Acc…ral Administrative network internal IP address. On the eIAM side, requests from the Federal Administration network…ederal Administration network are routed via different eIAM-Web PEP instances than requests from outside the Feder…transparent for the application. Application areas The eIAM-Web PEP represents a secure reverse proxy server in a …

Session Termination RP-PEP

…elow. SAML 2.0 Single Logout (SLO) is not supported by eIAM. The initial situation is an existing SSO session of t…

General requirements for session management

…equirements for session management Compliance with the eIAM requirements for session management are mandatory for …eral Administration! Sessions between the user and the eIAM-Web PEP and between the …-Web PEP and between the eIAM-Web PEP and the application are necessary if the appli…mportant to distinguish between the SSO session on the eIAM Web PEP and the session in the individual applications…tions. When accessing an application directly (without eIAM), a session is created between the web browser and thi…However, as soon as the application is protected by an eIAM-Web PEP, an SSO session is created between the web bro…SSO session is created between the web browser and the eIAM-Web PEP. The web browser has only one SSO session, nam…

IDM Roles & Access Assignments

… withdrawing them again. GKD authorises GKA ▼ × In the eIAM environment, only three IDM specialists hold the role …

BVA Access management of users to applications

…ecialist application) contains the e-mail generated by eIAM with the user's application information. Copy the user…

Quality of Authentication (QoA)

…y are decisive for the quality of a digital identity . eIAM describes this as Quality of Authentication (QoA) . Fo… ID card to the application. Different QoA classes per eIAM stage At the customer's request, the flexibility of di… of different QoA classes per stage was implemented in eIAM. If a customer requires a lower QoA in a non-productiv…n writing (signed mail) by the responsible ISBO to the eIAM SIE. This exception is only permitted if no data with … is processed. Request for QoA by the relying party An eIAM-integrated relying party can either request the minima…class: during the runtime in the federation request to eIAM. specify it during integration (definition time) in …. specify it during integration (definition time) in eIAM. Reject the federation request if no QoA is specified …

First-time use of the application for new users

…ally sent a one-time usable code (onboarding-code) via eIAM by e-mail or manually via another dispatch channel. Lo…e who issues BVA authorisations, but someone else (see eIAM Service 6 and … Service 6 and eIAM-Video at minute 11). The following user onboarding opt…ser onboarding options are available: Onboarding code: eIAM sends the invited person an e-mail with an invitation …ic identity is connected to the target application via eIAM. People Picker: With the People Picker, existing …. People Picker: With the People Picker, existing eIAM identities can be searched in the enterprise context, …iggered by process in the business application via the eIAM-RDM interface …

SR-Lauteraarhorn

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap FCh-DTI. Please direct you…e REF:      ⇨ 25.02.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 02.04.2025 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:    ⇨ 02.04.2025 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 04.05.2025 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 04.05.2025 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations FED-LOGIN - Improved selection o…t for security keys (FIDO2) for users with smart cards eIAM-AM - Delete ‘Login History’ data in IDM AGOV-First (pr…-First (preliminary information) Regression testing by eIAM customers Your cooperation is necessary and very impor… be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the…

SAML QoA Specification

…ncept can be found at: Quality of Authentication (QoA) eIAM "AuthnContextClasses" These are the new "AuthnContextC…Authentication Level AuthnContextClasses QoA10 urn:qoa.eiam.admin.ch:names:tc:ac:classes:10 QoA20 urn:qoa.….admin.ch:names:tc:ac:classes:10 QoA20 urn:qoa.eiam.admin.ch:names:tc:ac:classes:20 QoA30 urn:qoa.….admin.ch:names:tc:ac:classes:20 QoA30 urn:qoa.eiam.admin.ch:names:tc:ac:classes:30 QoA40 urn:qoa.….admin.ch:names:tc:ac:classes:30 QoA40 urn:qoa.eiam.admin.ch:names:tc:ac:classes:40 QoA50 urn:qoa.….admin.ch:names:tc:ac:classes:40 QoA50 urn:qoa.eiam.admin.ch:names:tc:ac:classes:50 QoA51 urn:qoa.….admin.ch:names:tc:ac:classes:50 QoA51 urn:qoa.eiam.admin.ch:names:tc:ac:classes:51 QoA60 urn:qoa.…

OIDC QoA Specification

…ncept can be found at: Quality of Authentication (QoA) eIAM "AuthnContextClasses" These are the new "AuthnContextC…Authentication Level AuthnContextClasses QoA10 urn:qoa.eiam.admin.ch:names:tc:ac:classes:10 QoA20 urn:qoa.….admin.ch:names:tc:ac:classes:10 QoA20 urn:qoa.eiam.admin.ch:names:tc:ac:classes:20 QoA30 urn:qoa.….admin.ch:names:tc:ac:classes:20 QoA30 urn:qoa.eiam.admin.ch:names:tc:ac:classes:30 QoA40 urn:qoa.….admin.ch:names:tc:ac:classes:30 QoA40 urn:qoa.eiam.admin.ch:names:tc:ac:classes:40 QoA50 urn:qoa.….admin.ch:names:tc:ac:classes:40 QoA50 urn:qoa.eiam.admin.ch:names:tc:ac:classes:50 QoA51 urn:qoa.….admin.ch:names:tc:ac:classes:50 QoA51 urn:qoa.eiam.admin.ch:names:tc:ac:classes:51 QoA60 urn:qoa.…

AGOV-First (REF environment only)

…rst" will only be rolled out in the REF environment of eIAM with the release "Lenzspitze" and not in the ABN and P…d PROD environment. In the ABN and PROD environment of eIAM, the rollout of "AGOV-First" will only take place with…nsultation with our customers in order to give you, as eIAM customers, sufficient time to familiarise yourself wit…ions since the start of 2024. AGOV can also be used in eIAM since the beginning of 2024. However, still with restr…he customer event on 11 April 2025 can be found on the eIAM Soundingboard Standardisation of the selection of the …sed. Previously, two different options were offered in eIAM. On the one hand, the so-called "tile view", which dis…e screens (laptop/desktop). The different behaviour of eIAM has repeatedly led to confusion among users in the pas…

IDM role request GKA to GKD

…role to a person: Request for GKA-IDM role 1 IDM role: eIAM-ID Administration for overall coordinators of all appl…cation. 4 IDM role application completion message. Now eIAM starts the authorisation process by sending a mail to …

Information FCh DTI

…onthly basis, FCh DTI obtains operational reporting on eIAM production from the FOITT Discussion forum … production from the FOITT Discussion forum eIAM, questions and discussions, moderated by FCh DTI Requi…ed by FCh DTI Requirements Management Requirements for eIAM must be submitted to FCh DTI P035 status P035-Status …

Management informations

…s, including the identity and access management system eIAM. Steering addresses medium- and long-term architectura…ents, commissioning of the service provider, which for eIAM is the FOITT, and financing of requirements implementa…uirements implementation. The FCh DTI publishes on the eIAM main information page the innovations in … main information page the innovations in eIAM, a monthly operational report, the P035 form, and a di…

Project flow and control

… Project flow and control eIAM appl. integration The provision of … appl. integration The provision of eIAM is agreed in a separate integration project or as a su…n and the integration of the business application into eIAM. Note: If your application becomes part of the ePortal…art of the ePortal (eportal.admin.ch) of the FOITT, no eIAM integration is necessary because the ePortal is alread… necessary because the ePortal is already connected to eIAM. You do not need to open an …. You do not need to open an eIAM dossier in this case. … dossier in this case. eIAM integration project Step 1: Open an …

Detailed technical requirements from the SAML 2.0 interface

…ervice (ACS) URL Session setup between Web Browser and eIAM-Web PEP Session setup between application and …-Web PEP Session setup between application and eIAM-Web PEP Session setup applications outside the Federal…he Federal Administration networks Session termination eIAM-Web PEP Supported SAML profiles, bindings, subject con…ew table of SAML 2.0 assertion attributes supported by eIAM Example SAML 2.0 AuthnRequest / SAML 2.0 Response / RS…

SAML Messages

…essage, the application requests a SAML token from the eIAM with the information about the user. Parameter        …ssion of the SAML 2.0 AuthnRequest MUST be done in the eIAM using HTTP-POST Binding. "urn:oasis:names:tc:SAML:2.0:…Destination The Destination MUST have the value of the eIAM WebSSO AuthnRequest Consumer (SSO URL on the PEP). Exa…pplication MAY pass the AuthnRequest as a parameter to eIAM by means of the RelayState (return address to which th…he application MUST be able to consume the response by eIAM in the form of a SAML 2.0 Response on the URL specifie…

Federation with WS

…ation network based on the WS-Federation standard. The eIAM-Web PEP offers defined interfaces for this federation … the federation for the authentication of the user via eIAM-Web, …-Web, eIAM-TrustBroker and IdP is always done via the SAML 2.0 pr…nistration Network Detailed technical requirements The eIAM service can only function properly if the conventions …

Further requirements SAML 2.0

…integration of a SAML 2.0-capable application into the eIAM service requires a sound knowledge of the SAML 2.0 pro… be integrated. The application must be adapted to the eIAM service. … service. eIAM will be configured according to the dossier. Custom ad…nfigured according to the dossier. Custom adaptions of eIAM for the single use of an application are out of scope.…defined as supported below is NOT supported by Service eIAM. SAML 2.0 profiles supported by …. SAML 2.0 profiles supported by eIAM-Web PEP The table below shows the SAML 2.0 profiles to… SAML 2.0 profiles to be used by actors in the service eIAM. Actor Web Browser SSO Profile Single Logout Profile A…

Cooperation obligations of the customer

… client: In general: In addition to the creation of an eIAM-Dossier , the following rules of …-Dossier , the following rules of eIAM integration must also be complied with: To federate th…rifications for the use of delegated management, WSG , eIAM- LDS and …- LDS and eIAM- AMW interfaces must be completed and documented in th…AMW interfaces must be completed and documented in the eIAM dossier. The … dossier. The eIAM dossier must be completed in full at least 3 weeks bef…ing element (SAP WBS element) must be submitted to the eIAM team at least 2 weeks before the REF delivery date. If…

Rollout of delegated management

…e in IDM, but in a dedicated web user interface of the eIAM AdminPortal . This can also be recorded automatically …ically by the target application via a interface . API eIAM-RDM In order to be able to delegate to one or more int…rnal organisational units, you open so-called units in eIAM, which represent these organisational units. The units…l units. The units are therefore a structuring of your eIAM access client. For each unit, you invite at least one …so within the framework of the delegated management of eIAM. Preparation The use of delegated management requires …l preparations. In principle, the functionality of the eIAM AdminPortal is already available within … AdminPortal is already available within eIAM and can be used at any time. Procedure The following d…

SR-Gruenhorn

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI. Please note that date…e REF:      ⇨ 02.07.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 14.08.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:    ⇨ 14.08.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 08.09.2024 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 08.09.2024 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations CH-LOGIN - No registration of a …n with MS Office applications (MS-OFBA) Migration from eIAM to the FOITT RHOS container platform Preliminary infor…ghorn’ - Separation of the SOAP web service interface (eIAM-WS) for internal and external use by the Federal Admin…se by the Federal Administration Regression testing by eIAM customers Your cooperation is necessary and very impor…

Requirements for the project

…ject Before the integration of an application into the eIAM service can take place, a number of specifications and… other formal requirements must be met. Basically, the eIAM service makes specifications for the integration of ap…pecifications for the integration of applications. The eIAM dossier contains various elements for the collection o…omprehensible according to the progress. The graphical eIAM project flow & control and the … project flow & control and the eIAM dossier should help you to involve your stakeholders c… involve your stakeholders correctly. Responsibilities eIAM Application The figure below shows schematically in wh…ion The figure below shows schematically in which area eIAM and in which area the project has organisational respo…

SR-Hohberghorn

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI. Please note that date…e REF:      ⇨ 12.09.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 09.10.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:    ⇨ 09.10.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 03.11.2024 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 03.11.2024 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations Separation of the SOAP web servi…ovations Separation of the SOAP web service interface (eIAM-WS) for internal and external use by the Federal Admin…ies in the enterprise context Support for testing with eIAM – Canary testing Support for testing with … – Canary testing Support for testing with eIAM - prevent autologon The provisioning of …

Testing without Autologon

…twork, even when using a VPN connection, the login via eIAM is typically automatic through the identity provider F…

SR-Jungfrau

…nts, as well as new functionalities and changes to the eIAM Services as per the Roadmap FCh-DTI. Please direct you…e REF:      ⇨ 04.12.2024 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ ABN:    ⇨ 15.01.2025 ↴ ⚒ Regression testing ❌❎ ✉ ➔ … ⚒✅ ABN:    ⇨ 15.01.2025 ↴ ⚒ Regression testing ❌❎ ✉ ➔ eIAM ⚒✅ PROD:  ⇨ 16.02.2025 Sunday ⚒ Final Inspection ❎❎ ✉ …✅ PROD:  ⇨ 16.02.2025 Sunday ⚒ Final Inspection ❎❎ ✉ ➔ eIAM Changes - Innovations Replacement of eID+ Schaffhausen…undle) Replacement of BE-Login with AGOV (BYOI Bundle) eIAM Admin Portal – user search across all authorised units…-First (preliminary information) Regression testing by eIAM customers Your cooperation is necessary and very impor… be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the…

WS-Federation in the Federal Administration Network

…tegration managers who integrate applications with the eIAM service within the Federal Administration network on t…f the Federal Administration that is protected via the eIAM web component. The individual steps are described belo…b component. The individual steps are described below. eIAM user access to a protected resource with WS-Federation…access the protected resource of a web application The eIAM-Web PEP detects that the resource to be accessed is pr…ticated. 2 SAML AuthnRequest to user's web browser The eIAM-Web PEP issues a signed SAML 2.0 Authn-Request to the …-Web PEP issues a signed SAML 2.0 Authn-Request to the eIAM Trustbroker and sends it as a self-submitting form to …form to the user's web browser. 3 SAML AuthnRequest to eIAM Trustbroker The user's browser automatically sends the…

cug pptx eIAM Midterm-Präsentation

… eIAM Midterm-Präsentation …

SR-Freiburger

…tency Checker (CC) supports the consistency of data in eIAM. It synchronises changes between the federated identit…

SAML 2.0 configuration (metadata)

…etadata) In order to simplify the configuration of the eIAM-Web service and the application, configuration data mu…s, so-called metadata, which must be exchanged between eIAM-Web and the application. These are mandatory, as a man…ate the metadata of the application and send it to the eIAM FOITT. What should also be done on the application sid…de FOITT operation Technical support => Responsibility eIAM staff Certificate support => pki-info@bit.admin.ch SAM…upport => pki-info@bit.admin.ch SAML metadata.xml from eIAM The information needed to configure the SAML 2.0 capab… configure the SAML 2.0 capable application to use the eIAM-Web as IdP is provided to the project by the …-Web as IdP is provided to the project by the eIAM service in the form of a metadata file in XML format (…

Federal Trustbroker (BTB)

… Federal Trustbroker (BTB) From autumn 2022, eIAM was gradually moved from virtual machines to the FOITT…astructure. With these moves, the functionality of the eIAM trust brokers, which were responsible for identity and… identity and attribute brokering, was migrated to the eIAM in-house development called Bundestrustbroker (BTB). T…es the current BTB cover? Replacement for the existing eIAM Trustbroker, which is based on Microsoft ADFS and oper… the introduction of PEP functionality on the BTB, the eIAM architecture for standard … architecture for standard eIAM integrations could be simplified, as dedicated PEPs ar…of the Bundestrustbroker as a federation component for eIAM, we set the course for the future. We eliminated techn…

Post Run

…ple who work with enthusiasm! Cordially welcome to the eIAM post run! Post 1 little warmup to start with small war…t with small warmup⇨ Post 2 What can you expect during eIAM dossier creation? … dossier creation? eIAM Dossier Questions⇨ Post 3 What are my options for … Dossier Questions⇨ Post 3 What are my options for eIAM integration? Integration pattern⇨ Congratulations you …usage obligation , you recognise the added value of an eIAM implementation for your end customers. …

Testing in Canary mode

… Testing in Canary mode Support for testing with eIAM eIAM uses a modern Continuous Integration / Continuous Depl…nfrastructure, which allows for a canary deployment of eIAM components. This means that two release versions can r…

OIDC: Standard identifier and attributes

…of "as few as possible, as many as necessary". So, for eIAM standard integrations as a specialist applications (fe…e, then please address this and list your needs in the eIAM dossier. Identifier In the … dossier. Identifier In the eIAM standard integration, the JWT (token) that is sent to … attribute Attribute format Description http://schemas.eiam.admin.ch/ws/2013/12/ identity/claims/e-id/userExtId ur…f the authentication. All attributes provided are from eIAM are taken from … are taken from eIAM attributes (originalIssuer="uri:… attributes (originalIssuer="uri:eiam.admin.ch:feds"), no attributes from IdP will be provid…

Delegated Management

…oncerns about delegated management, please contact the eIAM platform team: … platform team: eIAM-Operations@bit.admin.ch . …-Operations@bit.admin.ch . eIAM offers a delegation of user administration to internal…do I have the delegated management switched on? To use eIAM's delegated user management, contact your account mana…management, contact your account manager at FOITT. The eIAM client (access client) to which the application requir…l expenditure. For applications that already work with eIAM and want to use the delegated management subsequently,…tegrations, the delegated management is ordered in the eIAM dossier, the 10 days are mapped in the service contrac…

SAML 2.0 Integrationpattern RP-PEP

…r accesses a web application that is protected via the eIAM web component (RP-PEP). The individual steps are descr…access the protected resource of a web application The eIAM-Web PEP detects that the resource to be accessed is pr…nticated 2 SAML AuthnRequest to user's web browser The eIAM-Web PEP issues a signed SAML 2.0 Authn-Request to the …-Web PEP issues a signed SAML 2.0 Authn-Request to the eIAM Trustbroker and sends it as a self-submitting form to … form to the user's web browser 3 SAML AuthnRequest to eIAM Trustbroker The user's browser automatically sends the…The user's browser automatically sends the form to the eIAM Trustbroker via Brow-ser POST using Javascript. 4 Home…ry and SAML AuthnRequest to the user's web browser The eIAM Trustbroker performs a Home Realm Discovery and determ…

Self-registration unaccounted for or with video identification

…ation unaccounted for or with video identification The eIAM's own identity provider CH-LOGIN offers electronic ide…t manual activation by a responsible person, is set in eIAM per target application. The identity of the persons re… by means of ID checks and to link it to the CH-LOGIN, eIAM offers a video identification . Introductory video to …

RDM Integration

…L REF ABN PROD API endpoint https://services.portal-r. eiam.admin.ch/portal/rdm-api/v2/ https://services.portal-a.…admin.ch/portal/rdm-api/v2/ https://services.portal-a. eiam.admin.ch/portal/rdm-api/v2/ https://services.portal. ….admin.ch/portal/rdm-api/v2/ https://services.portal. eiam.admin.ch/portal/rdm-api/v2/ API swagger UI (to try the…try the API in the browser) https://services.portal-r. eiam.admin.ch/portal/rdm-api/v2/swagger-ui.html https://ser…/rdm-api/v2/swagger-ui.html https://services.portal-a. eiam.admin.ch/portal/rdm-api/v2/swagger-ui.html https://ser…tal/rdm-api/v2/swagger-ui.html https://services.portal.eiam. admin.ch/portal/rdm-api/v2/swagger-ui.html Onboarding…ds onboarding eMails/letters) https://www.myaccount-r. eiam.admin.ch/portal/ selfadminservice/app /onboarding http…

RDM Integration patterns

…ail) The "clientExtId" is a unique identifier for your eIAM access client and will be provided to you. To onboard …e person will provide the onboarding code. Step 5: The eIAM access client user will now be linked with the CH-LOGI… where then one or other form of access request (Link: eIAM Access Request (ARQ) ) will happen. In standard integr…match the onboarded user on each login. Onboard users (eIAM sends the eMail) The "clientExtId" is a unique identif…ail) The "clientExtId" is a unique identifier for your eIAM access client and will be provided to you. To onboard …t need to process the response (unless it's an error). eIAM will send an onboarding eMail to the person. The eMail…e person will provide the onboarding code. Step 5: The eIAM access client user will now be linked with the CH-LOGI…

IDM role request as BVA to GKA

…on ABN IDM link: ➞ User administration REF 1 IDM role: eIAM-ID Administration for granting authorisation to applic… Continue 4 Final message of the IDM role request. Now eIAM starts the authorisation process by sending a mail to …

SAML: Standard identifier and attributes

…of "as few as possible, as many as necessary". So, for eIAM standard integrations as a specialist application, you…e, then please address this and list your needs in the eIAM dossier. Identifier For … dossier. Identifier For eIAM standard integration, the SAML assertion (token) sent … attribute Attribute format Description http://schemas.eiam.admin.ch/ws/2013/12/ identity/claims/e-id/userExtId ur…d in the AuthnStatement like this (Example for urn:qoa.eiam.admin.ch:names:tc:ac:classes:40): urn:qoa.….admin.ch:names:tc:ac:classes:40): urn:qoa.eiam.admin.ch:names:tc:ac:classes:40 Standard attribute set…f the authentication. All attributes provided are from eIAM and will have originalIssuer="uri:…

Notes for pentests of applications

… Notes for pentests of applications When eIAM-integrated applications are tested for security using …est, there are often also findings that are related to eIAM. This page documents recurring findings in …. This page documents recurring findings in eIAM and describes their significance. Handling Samesite at…the following rules apply to the SameSite attribute in eIAM: samesite=none is set EXCEPT: The application is RP-PE…

Formal commissioning of the BIT & financing

… financing eGovernment Identity and Access Management (eIAM) The provision of …) The provision of eIAM is agreed in a separate integration project or as a su…ing and the integration of the business application in eIAM Commissioning and financing via Remedy Order In Remedy…In Remedy, two business cases CRQ are available for an eIAM implementation. one for the … implementation. one for the eIAM standard implementation with a defined cost ceiling of…of CHF 15,000 and a duration of approx. 3 months. This eIAM-CRQ is created by the client IM and approved by him, i…parties involved record their time expenditures on the eIAM Remedy Collector, indicating the CRQ number. At the en…

SR-Merlot

… bounty program With the release "Merlot" some bugs in eIAM classified as "minor", which were discovered by the … classified as "minor", which were discovered by the eIAM bug bounty program, were fixed. Update of various SW c…rogram, were fixed. Update of various SW components of eIAM (Cluster Update) As part of the release "Merlot", vari…f the release "Merlot", various software components of eIAM will be updated. The ongoing update of the software co…ated. The ongoing update of the software components of eIAM forms the foundation for the support of very interesti…for the support of very interesting future features in eIAM. At the same time, …. At the same time, eIAM ensures that our customers benefit from bug fixes and …

Stakeholder Groups

… Stakeholder Groups eIAM internal stakeholders We work according to the SAFe me…ment, collaboration and execution across the different eIAM teams. … teams. eIAM focal points … focal points eIAM-external stakeholders in the course of the project and…ddressed and held accountable at certain stages of the eIAM integration: Initial contact/main point of contact PM …e (TechInfos questionnaire), i.e. before commissioning eIAM, the PM customer/partner must take the following stake… PM customer/partner has to ensure the coordination of eIAM with the following stakeholder groups Contact person d…

Integration patterns

…uirements differ greatly depending on the application, eIAM offers various existing integration patterns. The … offers various existing integration patterns. The eIAM dossier should help to determine the optimal integrati… the part of the application as well as on the part of eIAM. Pattern - Integration without Access Management in …. Pattern - Integration without Access Management in eIAM (Authentication Only) With this form of integration, o…ion only obtains the "authentication" service from the eIAM service. The complete access management including the … the quality of the authentication performed Following eIAM functions can not be ordered with the Authentication O…an not be ordered with the Authentication Only Pattern eIAM-AM (access management) …

Message Management

…nagement". "Message Management" Administration via the eIAM AdminPortal …

Federation with SAML2.0

… Federation with SAML2.0 The eIAM-Web PEP provides information about the identity and ot…o the "IDP intitiated" or the "SP initiated" scenario. eIAM generally only offers "SP intitiated" because this giv… If these do not match between the application and the eIAM web, the … web, the eIAM web and the application cannot communicate successfull…ully and the application cannot be integrated into the eIAM service. Functionality Depending on your needs, there …two types of federation available STS-PEP for standard eIAM integration (… integration (eIAM provides a token service) RP-PEP for …

Self-registration

… Self-registration eIAM's own IdP CH-LOGIN provides eIDs in eGov context, that… release by an authentication authority, is defined in eIAM for each target application (see next service 5 "Onboa…

CH-LOGIN first

… CH-LOGIN first The CH-LOGIN first representation of eIAM is an alternative to the IDP choice representation as …

Identity Providers & protocols (IdPs)

… eIAM supported federation protocols … supported federation protocols eIAM provides the connected web applications and native mob…y of the resulting association. * For an example of an eIAM login in a native mobile app, see and source code for …n in a native mobile app, see and source code for it . eIAM uses the identity protocols OIDC, SAML2.0 and WS-Feder…ations and native mobile apps can thus be connected to eIAM. It is important to understand that even if an applica…r OIDC, the federation for authenticating the user via eIAM-Web, …-Web, eIAM-TrustBroker and IdP is always done via the SAML 2.0 pr…

Autoprovisioning

…e autoprovisioning instance, please be sure to contact eIAM Consulting. Important to note! Users added via an API …r criteria the system is very flexible, please contact eIAM Consulting for this. Filter options The following filt…ns if required and reasonable.  Overview identities in eIAM, unit, profiles and roles Identities in …, unit, profiles and roles Identities in eIAM & Units, Profiles and Roles Added value of autoprovisi…toprovisioning For applications that already work with eIAM and want to use autoprovisioning subsequently, this mu…w integrations, delegated management is ordered in the eIAM dossier. Cost consequence for customers Autoprovisioni…

OIDC Integration patterns

…plication cluster), there is currently no service from eIAM providing this functionality. Sample authorisation ser…

Federation with OIDC

…lity must be available. It's important to note that In eIAM only OIDC is implemented. The provided OAuth2 token is…ed OAuth2 token is opaque and only eligible to use the eIAM userinfo API endpoint, which provides user data and is…

Kickoff Meeting

…ct a kickoff meeting with all involved parties and the eIAM SIE (Service Integration Manager) to carry out the fur…ntation and operation). Link: Template Kickoff Meeting eIAM-Integration In the …-Integration In the eIAM dossier you will now, in cooperation with your stakeho…ill now, in cooperation with your stakeholders and the eIAM SIE, record the exact technical specifications (infras…

Detailed technical requirements for the WS-Federation interface

…uthentication. This value is returned unchanged by the eIAM-Web PEP to the Relying Party with the response. Should…ue that only the Relying Party knows. Session setup in eIAM with WS-Federation Web applications that federate usin… protocol submit a request for a security token to the eIAM-Web PEP using a wsignin request. The …-Web PEP using a wsignin request. The eIAM-Web PEP can issue security tokens in the formats SAML … runs according to the following figure. Session setup eIAM and application with federation Request for a SAML 1.1…h federation Request for a SAML 1.1 Security Token The eIAM-Web PEP accepts the wsignin requests under /auth/wsfed…sfed/ipsts11 Request for a SAML 2.0 Security Token The eIAM-Web PEP accepts the wsignin requests under /auth/wsfed…

Authentication for Webservices

… Authentication for Webservices The eIAM WSG (web service gateway) can be used to protect SOAP-… services effectively from unauthorised access. In the eIAM access manager, customers themselves manage the techni…ubject (technical user) and his/her permissions in the eIAM access manager are transmitted to the web service usin…okens in either the SOAP header or an HTTP header. One eIAM WSG is required for each web service that is to be pro…

Access Management

… Management While it is mandatory to obtain an eID via eIAM, the use of …, the use of eIAM's access management is optional , i.e. permissions suc…s often the case, using granular access: high-level in eIAM's access management, low-level in the target applicati…ss management, low-level in the target application. In eIAM's access management, permissions can be modelled via u…

Detailed technical requirements from the SAML 2.0 interface

…CS) URL The destination address of the response of the eIAM-Web PEP (from the perspective of the application of th…rnative the destination address of the response of the eIAM-Web PEP to the AuthnRequest of the application can be …application MUST be signed to avoid CSRF -Attacks. The eIAM-Web PEP will return the SAML 2.0 response to this URL.…

Remedy CRQ Opening

…medy produktion System: Instruction opening CRQ "Order eIAM Integration" Total 5 images (click the image) Remedy C…tegration" Total 5 images (click the image) Remedy CRQ eIAM Integration Instruction opening CRQ "Sales order gener…