Release Notes / Customer Information

>>> Aletschhorn 9. July 2023 <<<

Status: Final

The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.

Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.

Introduction dates / innovations


REF: 2. May 2023  <Tests!> ABN: 16. May 2023  <Tests!>  PROD: 9. July 2023

  • FED-LOGIN "totally smartcardless" (for external employees)
  • Use FED-LOGIN without smartcard (for smartcard holders)
  • eIAM Deleg. Mgmt. - Onboarding Enterprise Identities with People Picker
  • Management of technical identities in eIAM
  • Migrations to the new eIAM CI/CD automation platform

Regression testing by eIAM customers
Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.

Process and expectations for SR introductions

In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. You have at least 14 days per stage to do this. Please plan your test activities early in these periods so that any bug fix releases are possible in good time.

These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.

Important
If you encounter problems during your regression tests, please inform our testing team immediately at: Testing-eiam@bit.admin.ch. Our colleagues will take your input, check it and consolidate it. We would like to thank you for your important assistance and support in order to maintain and further improve the high quality standard of the service releases!

eIAM contact person

If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;

eIAM contact points
×

Release Notes

FED-LOGIN "totally smartcardless" (for external staff)

Video identification and Mobile ID for Mobile VDI users without a smartcard.
Until now, internal/external employees of the federal administration who are not equipped with a smartcard could not access resources that require strong authentication (e.g. GEVER). They do not have an electronic identity of a correspondingly high quality.

Rationale:
  • The person has not gone through a smartcard issuance process during which the person's identity is verified with the necessary quality.
  • Without a smart card, the person does not have a means of proof of identity of the required quality.
The "totally smartcardless" feature makes it possible for internal/external employees of the Federal Administration with a FED-LOGIN account, who are not to be equipped with a Federal Administration smartcard, to prove their identity in the required high quality. And that these persons can register and use a high-quality means of proof of identity in the FED-LOGIN with the Mobile ID. The combination of high quality identification of the person, high quality binding of the means of identification to the person and high quality recognition of the identity allows authentication with FED-LOGIN at level QoA50 or level "high". This means that people without a smartcard can now obtain an electronic FED-LOGIN identity, which enables authentication for access to applications with increased protection requirements. Users who have registered the Mobile ID as a second factor can also reset their password themselves via the password reset flow in the FED-LOGIN.

More information with the corresponding upgrade instructions can be found at:
FED-LOGIN totally smartcardless

FED-LOGIN without smartcard insertion (for smartcard holders)

You manage the alternative login data by logging in with your smartcard under MyAccount. There you first set a password and can then register any Second Factors (e.g. the Mobile ID, a telephone number for SMS confirmation codes (mTAN) or Authenticator App for generating periodically changing codes).

Please note that different requirements apply to the quality of authentication depending on the application. We therefore recommend that you register the Mobile ID. The Mobile ID meets high requirements for the quality of authentication (QoA50). While other secondary factors such as mTAN or Authenticator App are rated weaker.

To set a new FED-LOGIN password, all users previously had to set the new password in MyAccount using the smartcard. Now, users who have registered the Mobile ID as a second factor can reset their password via a password reset flow in FED-LOGIN. Without having to use the smartcard. This is particularly useful if the FED-LOGIN authentication is to take place with password and Mobile ID, the password is no longer known to the user and either the smartcard itself or a terminal device with card reader is not available.

More information with the corresponding instructions can be found at:
Use FED-LOGIN without smartcard (for smartcard holders)

eIAM Deleg. Mgmt. - Onboarding Enterprise Identities with People Picker

In the delegated management of eIAM-AM, all persons, i.e. also employees of the federal administration and the cantonal/municipal administrations, had to be onboarded via invitation procedures until now. The "People Picker" feature in the delegated management of eIAM-AM now makes it possible for people to be onboarded directly by the delegated manager. Without having to go through an invitation procedure. The delegated manager can now use the "People Picker" function to search for electronic identities of employees of the federal administration, employees of the cantonal/municipal administrations by e-mail address and create a profile for them in the corresponding unit. In other words, the person to be authorised can be completely onboarded and authorised by the delegated manager and can then use these authorisations directly.

For more information, see: People Picker

Management of technical identities in eIAM

In addition to identities of natural persons, identities of technical users are also managed and used in eIAM. In the past, it was possible to register such technical identities in self-service and to deposit a software certificate as proof of identity. This practice led to poorly controlled identities in the enterprise context. New processes have been defined in eIAM that lead to a clean life cycle of these technical identities with a software certificate as proof of identity and thus increase the overall security of access to applications.

More information can be found on the page at: [Forms Manged Techuser:brief instructions]

Migrations to the new eIAM CI/CD automation platform

All components of eIAM, both central and customised, will be migrated successively and in a staggered manner to the new CI/CD (Continuous Integration / Continous Deployment) operating platform. This container-based operating platform helps us to scale eIAM better and to meet the requirements regarding integrations and further development in the eIAM service in the future. With the Aletschhorn release, various components will again be migrated from the classic eIAM operating platform to the new CI/CD operating platform. Ideally, these migrations will be transparent for you as an eIAM customer as well as for users of your applications. Customers who are directly affected by the migration are informed about the planned migration.

You can find more information about this under: eIAM Automation (CI/CD)