eIAM Web GUI CH-LOGIN Self-Registration

The CH-LOGIN IdP provides users of applications using the eIAM service with an identity provider for authentication by username and password. Optionally, an SMS code can be used as a second factor for stronger authentication. The users of the CH-LOGIN can register themselves to use this IdP for the recognition of their claimed identity. This IdP is mainly used for eGov users, as they usually do not have a stronger authentication means that the service eIAM supports.

CH-LOGIN Self-Registration Description

If the application wants to offer an extended self-registration for users, where the user has to provide additional information, it MUST use the self-registration of the CH-LOGIN IdP in the service eIAM to create the identity of the user. After the user's self-registration in the CH-LOGIN, the application may implement a further self-registration in order to request further attributes about the user and to store and maintain these attributes about the user outside the eIAM service.

CH-LOGIN Self-Registration URL

The CH-LOGIN self-registration CAN NOT be called directly from applications. To use the CH-LOGIN IdP self-registration, authentication MUST be triggered on the user's request to the eIAM-Web PEP (the user must be directed to a URL in the protected area to start authentication). When subsequently selecting the IdP (if several are offered for the web application), the user must select the IdP "CH-LOGIN".
Interactive Home Realm Discovery on eIAM Trustbroker
Interactive Home Realm Discovery on eIAM Trustbroker


The CH-LOGIN IdP offers the user the possibility of self-registration in addition to the actual authentication and password reset.
CH-LOGIN IdP Trigger Self-Registration
CH-LOGIN IdP Trigger Self-Registration


The user is then guided through the process of self-registration.
CH-LOGIN IdP Self-Registration
CH-LOGIN IdP Self-Registration


Comment:
For more information on the CH-LOGIN, see

CH-LOGIN Control of Authentication Strength External Applications

In the case of applications hosted outside the networks of the Federal Administration, the eIAM-Web PEP does not know by itself which authentication strength is required on the CH-LOGIN IdP by the application that makes a SAML 2.0 authentication request to it. With this eIAM solution pattern, the eIAM-Web PEP therefore expects that the application already sends the accepted ContextClassRef values in the SAML 2.0 AuthnRequest.

The application hosted outside the networks of the Federal Administration MUST send the exact values of the ContextClassRefs that are accepted from its point of view with the AuthnRequest. In doing so, the application can control whether SMS code is to be enforced on the base IdP as follows:


AuthnContextClassRef in SAML 2.0 AuthnRequest Level Continue without SMS code possible
none (legacy setting for backwards compatibility) weak YES

AuthnContextClassRef in SAML 2.0 AuthnRequest Stage Continue possible
without SMS code
urn.oasis.names.tc.SAML.2.0.ac.classes.PasswordProtectedTransport weak YES
urn.oasis.names.tc.SAML.2.0.ac.classes.NomadTelephony normal YES
urn.oasis.names.tc.SAML.2.0.ac.classes.TimeSyncToken normal JA
urn.oasis.names.tc.SAML.2.0.ac.classes.Kerberos normal JA
urn.oasis.names.tc.SAML.2.0.ac.classes.SoftwarePKI normal JA
urn.oasis.names.tc.SAML.2.0.ac.classes.SmartcardPKI strong JA

AuthnContextClassRef in SAML 2.0 AuthnRequest Stage Possible to continue without SMS code
urn.oasis.names.tc.SAML.2.0.ac.classes.NomadTelephony normal NO
urn.oasis.names.tc.SAML.2.0.ac.classes.TimeSyncToken normal NO
urn.oasis.names.tc.SAML.2.0.ac.classes.Kerberos normal NO
urn.oasis.names.tc.SAML.2.0.ac.classes.SoftwarePKI normal NO
urn.oasis.names.tc.SAML.2.0.ac.classes.SmartcardPKI strong NO

Example registration and login mobile phone optional:

Example registration and login mobile phone enforced:

Note
If AuthnContextClassRef other than the ContextClassRef listed in the table are used in the SAML AuthnRequest, this may result in errors in the authentication of the user. In particular, it results in an error if the base IdP (CH-LOGIN) is to be used for authentication, an AuthnContextClassRef is defined in the AuthnRequest, but neither "urn.oasis.names.tc.SAML.2.0.ac.classes.NomadTelephony" nor "urn.oasis.names.tc.SAML.2.0.ac.classes.PasswordProtectedTransport" is included in the definition.

Restriction of allowed comparison values
Due to the limited support of comparison values in eIAM Trustbroker, MUST use the value "exact" as Comparison.

<samlp:RequestedAuthnContext Comparison="exact">

Note
The use of comparison values other than "exact" such as "minimum", "better" etc. will lead to errors when processing the SAML assertion on the eIAM Trustbroker.