Release Notes / Customer Information

>>> Breithorn 6. August 2023 <<<

Status: Final

The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.

Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.

Introduction dates / innovations


REF: 27. June 2023  <Tests!> ABN: 12. July 2023  <Tests!>  PROD: 6. August 2023

  • Continuously removable eIAM Stage banner
  • MyAccount - new entry page "Home"
  • MyAccount - Set favorites
  • MyAccount - FED-LOGIN activation
  • Management of technical identities in eIAM
  • Adaptation of bot protection for access from outside the federal administration
  • Migrations to the new eIAM CI/CD automation platform

Regression testing by eIAM customers
Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.

Process and expectations for SR introductions

In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. You have at least 14 days per stage to do this. Please plan your test activities early in these periods so that any bug fix releases are possible in good time.

These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.

Important
If you encounter problems during your regression tests, please inform our testing team immediately at: Testing-eiam@bit.admin.ch. Our colleagues will take your input, check it and consolidate it. We would like to thank you for your important assistance and support in order to maintain and further improve the high quality standard of the service releases!

eIAM contact person

If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;

eIAM contact points
×

Release Notes

Continuously removable eIAM stage banners

The so-called "stage banners" in the upper left corner of eIAM's web pages are very convenient for users, as they allow them to easily recognize that they are on a non-production environment. However, they can be a hindrance if documentation is to be created before a function is available on the productive environment. By request of our customers these "stage banners" are now clickable away everywhere in eIAM. The next time the page is called, the stage banner appears again.
Image with the eIAM stage banner TEST
eIAM stage banner TEST
Image with the eIAM stage banner hidden
Without the eIAM stage banner


MyAccount - Entry page new "Home"

Previously, when MyAccount was called up in the web browser, the user was directed to the "User Profile" page.

Now the user is automatically directed to the "Home" page. In this view he sees the selection of applications for which he has permissions in eIAM and can call them from this page, provided that a corresponding link for the application is stored in eIAM.

Please note that this applies to calling MyAccount directly. If MyAccount is called from an application (single sign-on from the application and return to the application), the "Home" page is generally not displayed. In this case, the user is still directed to the "User Profile" page.

MyAccount - Set favorites

Especially for users with permissions for many applications managed in eIAM, it can be annoying to always have to search for the most frequently used applications in MyAccount.

MyAccount now offers the user the possibility to set favorites. This is done by clicking on the star symbol in the application tile. Applications marked in this way are automatically listed under "Favorites" and can thus be accessed more quickly by the user. Of course, the user can also remove an application from his favorites by clicking on the star in the tile.

Depending on the size of the screen, the favorites are displayed at the top (small screens e.g. smartphone) or on the left (large screens).

Image to set application favourite.
Set favourites


MyAccount - FED-LOGIN activation

FED-LOGIN allows the user to register alternative means of identity proof such as password and second factors (e.g. Mobile ID, mTAN/SMS, Authenticator App) in MyAccount after authentication with smartcard and subsequently use them on FED-LOGIN (e.g. for authentication with FED-LOGIN identity on a cell phone.

In the past, registration required users to explicitly activate their FED-LOGIN account to use the alternative means of identity proofing after registering the means of identity proofing. This led to users inadvertently not performing this step and their authentication subsequently not working.

Now, after registering a second factor, the FED-LOGIN login is automatically activated without a smart card.

Management of technical identities in eIAM

The eIAM FED-LOGIN enables authentication by smartcard, Active Directory Single Sign-On (Kerberos Ticket), Software Certificate Classe-C and alternative means of identity proof like password and Mobile ID or mTAN/SMS respectively Authenticator App (OATH).

In the past, it was possible to authenticate to FED-LOGIN using software certificates or Active Directory accounts at FED-LOGIN, even if an identity represented by the certificate or Active Directory account eIAM was not known in eIAM via the provisioning process from the Central Identity Store (CIS). The identity credential (certificate or Kerberos ticket) could be used to create an eIAM federated identity and identity credentials in Access clients in the self-registration process. This leads to governance issues in the Enterprise context. Since in the Enterprise context the life cycle of all identities must be managed.

As of the Breithorn release, it is no longer possible to create an identity usable with FED-LOGIN in the self-registration procedure and maintain it using self-administration in MyAccount.

Personal identities usable in FED-LOGIN and managed in CIS are automatically maintained via provisioning processes. Other identities that can be used in the FED-LOGIN must be created and maintained via life cycle processes in eIAM itself using traceable processes.

This applies in particular to identities with authentication by means of SG-PKI Class C software certificates and Active Directory accounts that are not directly assigned to an employee (internal/external) of the federal administration according to the Central Identity Store (e.g. F-accounts, S-accounts, T-accounts).

More detailed information can be found on the page under: Forms: Manged Techuser

Attempting to authenticate to FED-LOGIN using an identity unknown in eIAM will result in an appropriate message being displayed to the user.

Error message: unknown identity
Error message


Adaptation of bot protection for access from outside the federal administration

In some processes, the eIAM service must be protected against automated actions causing damage to the service. This concerns neuralgic operations such as the triggering of e-mails or SMS or the automated creation of user accounts. The previous solution worked completely transparently in the background for the users. However, it had the major disadvantage that real users who were wrongly identified as a bot had no way of proving that they were in fact not a bot but a human being. The new solution is also transparent for the user as long as he is recognised as a human with a high enough probability. In the case that the system (Google reCAPTCHA) considers the probability that it is a human to be too low, the person is asked to click a checkbox in the simple case. If the bot recognition system is still not convinced that the person is human, the user is asked to fill in a captcha. The captcha solution used, Google reCAPTCHA, is an established and widely used bot recognition solution from Google, which is barrier-free.
Illustration of Google reCAPTCHA as a bot detection solution.
Google reCAPTCHA

In order to enable end-to-end testing and monitoring from the networks of the federal administration with automated processes, no captcha is used in principle for accesses from the networks of the federal administration.

Migrations to the new eIAM CI/CD automation platform

All components of eIAM, both centralized and custom, will be migrated successively and in a staggered manner to the new CI/CD (continuous integration / continuous deployment) operating platform. This container-based operating platform will help us to scale eIAM better and to meet the requirements regarding integrations and further development in service eIAM in the future. With the Breithorn release, various components will again be migrated from the classic eIAM operating platform to the new CI/CD operating platform. Ideally, these migrations will be transparent for you as a customer of eIAM as well as for users of your applications. Customers who are directly affected by the migration will be informed in advance about the planned migration.

More information about this can be found at: eIAM Automation (CI/CD)