Release Notes / Customer Information
Castor 05.11.2023
Status: Final (31.10.2023)
The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.
Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.
Launch date
- REF: ⇨ 03.10.2023 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - ABN: ⇨ 18.10.2023 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - PROD: ⇨ 05.11.2023
Sunday ⚒ Final Inspection ❎❎ ✉➔ eIAM
- Architecture change for OIDC integrations
- Support Swiss Government Regular CA 02
- Enterprise IdP of the Canton of Bern
- IdP HIN and HIN-EPR new federation architecture
- Readdressing eIAM Web Service Interface
- Sending e-mails from eIAM
- Migrations to the new eIAM CI/CD automation platform
Regression testing by eIAM customers
Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.Process and expectations for SR introductions
In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. You have at least 14 days per stage to do this. Please plan your test activities early in these periods so that any bug fix releases are possible in good time.These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.
Important
If you encounter problems during your regression tests, please inform our testing team immediately at: Testing-eiam@bit.admin.c
eIAM contact person
If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;eIAM contact points
×
- Testing questions
- eIAM-Testing-Team: Testing-eiam@bit.admin.c
- .
- Operational issues
- eIAM Platform Team:
eIAM-Operations@bit.admin.ch / +41 (0)58 469 88 55
Edgar Kälin BIT (PO eIAM Platform Team) - Integration of new solutions
- eIAM Integration Team:
eIAM-Integrations@bit.admin.ch / +41 (0)58 469 88 55
Danny Rothe BIT (PO eIAM Integration) - eIAM-Integrations@bit.admin.c
h / +41 (0)58 469 88 55 - General questions, mgmt questions or complaints
- Roger.Zuercher@bit.admin.c
h , Service Manager eIAM / Project Manager (BO-eIAM) - New requirements for eIAM
- Show e-mail addres
s , service responsible for federated IAM (BO-eIAM)
Kadir Gelme (SM eIAM Testing)
Changes - Innovations
Architecture change for OIDC integrations
All applications that are connected to eIAM with OIDC (OpenID Connect) as the federation protocol are now connected directly to the eIAM TrustBroker (BTB) with the "Castor" release. Previously, these were connected via an additional intermediary between BTB and application. With this change, the complexity of the integration architecture can be reduced. Nothing has to be changed on the side of the applications integrated with eIAM. The URL and signature certificates used for federation with OIDC remain unchanged. However, as already informed in advance, the applications integrated with OIDC must be tested in depth for regressions.Applications that had explicitly reported problems in the context of BTB migration on REF will of course not be migrated on ABN. On PROD, only applications that have explicitly given positive feedback will be migrated to BTB. The remaining applications will be migrated in the course of the next months.
Support Swiss Government Regular CA 02
With the "Castor" release, the SG-PKI Class-C certificates (SW certificates) of the Swiss Government Root CA III and the Intermediate/Issuing CA Swiss Government Regular CA 02 are supported by eIAM as means of identity verification. These certificates can now be used for authentication on FED-LOGIN as well as for authentication of access to eIAM's own API interfaces.IdP HIN and HIN-EPR new federation architecture
The two sector IdPs (identity providers) "HIN" and "HIN-EPR" will be connected to eIAM with the "Castor" release in a new federation architecture. Nothing will change for the applications that use these IdPs. However, customers are requested to test the correct access to their applications with these IdPs.Enterprise IdP of the Canton of Bern
With the "Castor" release, the Enterprise Identity Provider (IdP) of the Canton of Bern is connected to eIAM as a so-called "Sector IdP". This means that a first application of the FSO can use these identities. This IdP provides identities of employees of the Canton of Bern. As is usual with sector IdPs, the use of this IdP requires approval by FCh-DTI.Readdressing eIAM Web Service Interface
Some applications use the eIAM Web Service Interface (SOAP Web Service for accessing IDM data). This interface will be moved to the CI/CD platform as part of the "Castor" release and will therefore be readdressed. The URL remains the same. However, the IP address of this endpoint will change. If you require special firewall port openings for the connection from your systems to these services, you must have these released by the operators of the respective firewall(s).| Stage | FQDN | Port | Old IP address | New IP address |
|---|---|---|---|---|
| REF | services.gate-r.eiam.admin.ch | 443 | 162.23.149.133 | 162.23.139.70 |
| ABN | services.gate-a.eiam.admin.ch | 443 | 162.23.149.141 | 162.23.139.71 |
| PROD | services.gate.eiam.admin.ch | 443 | 162.23.149.145 | 162.23.139.72 |
Sending e-mails from eIAM
Due to policy changes in the sending of e-mails from the Federal Administration, e-mails may now only be sent with senders that are listed in the Federal Administration's Active Directory. The eIAM service has adapted its (noreply) sender addresses respectively.Migrations to the new eIAM CI/CD automation platform
All components of eIAM, both central and customised, will be migrated successively and in a staggered manner to the new CI/CD (Continuous Integration / Continous Deployment) operating platform. This container-based operating platform helps us to scale eIAM better and to meet the requirements regarding integrations and further development in service eIAM in the future. With the "Castor" release, various components will again be migrated from the classic eIAM operating platform to the new CI/CD operating platform. Ideally, these migrations will be transparent for you as an eIAM customer as well as for users of your applications. Customers who are directly affected by the migration will be informed about the planned migration.Informations about this can be found at: eIAM Automation (CI/CD)