Release Notes / Customer Information
Dufourspitze 11.02.2024
Status: Final (09.02.2024)
The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.
Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.
Launch date
- REF: ⇨ 28.11.2023 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - ABN: ⇨ 18.01.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - PROD: ⇨ 11.02.2024
Sunday ⚒ Final Inspection ❎❎ ✉➔ eIAM
- FED-LOGIN Usernameless/Passwordless with Access App
- AGOV as BYOI IdP for CH-LOGIN
- Support of militia identities
- Support of CIS managed S-Users
- Decommissioning of legacy IdPs
- Architectural change for OIDC integrations
- Migrations to the new eIAM CI/CD automation platform
Regression testing by eIAM customers
Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.Process and expectations for SR introductions
In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. Normally you have 10 working days at your disposal for this. Please note that in the first 2 days after installation you can benefit from an Early Live Support Team that will assist you promptly in the case of problems.These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.
Important
Let us know your test results (positive or negative) via Feedback form customer regression tests
eIAM contact person
If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;eIAM contact points
×
- Testing questions
- eIAM-Testing-Team: Testing-eiam@bit.admin.c
- .
- Operational issues
- eIAM Platform Team:
eIAM-Operations@bit.admin.ch / +41 (0)58 469 88 55
Edgar Kälin BIT (PO eIAM Platform Team) - Integration of new solutions
- eIAM Integration Team:
eIAM-Integrations@bit.admin.ch / +41 (0)58 469 88 55
Danny Rothe BIT (PO eIAM Integration) - eIAM-Integrations@bit.admin.c
h / +41 (0)58 469 88 55 - General questions, mgmt questions or complaints
- Roger.Zuercher@bit.admin.c
h , Service Manager eIAM / Project Manager (BO-eIAM) - New requirements for eIAM
- Show e-mail addres
s , service responsible for federated IAM (BO-eIAM)
Kadir Gelme (SM eIAM Testing)
Changes - Innovations
FED-LOGIN Usernameless/Passwordless with Access App
-
- Logging in with the FED-LOGIN Access App
As the central identity provider (IdP) for the enterprise context of the Federal Administration, FED-LOGIN enables users to log in securely and conveniently with the FED-LOGIN Access App from the "Dufourspitze" release onwards. The FED-LOGIN Access App is an identity verification tool based on FIDO standards that works completely without entering a username and password. This makes the FED-LOGIN Access App a very convenient means of authentication for the user. The FED-LOGIN Access App fulfils the high security requirements of an identity verification tool. The fact that the user can only register the FED-LOGIN Access App in the eIAM "MyAccount" after prior identification using a smartcard means that the link between the user's identity and the proof of identity is also at a high level. This results in a login quality level of "high" or eIAM quality level "QoA50". The login with FED-LOGIN Access App on FED-LOGIN thus allows access to most eIAM-integrated applications, including those with increased protection requirements such as "GEVER". The FED-LOGIN Access App is available for iOS and Android devices in the official app stores "Apple App Store" and "Google Play". It can be registered by all persons equipped with an SG-PKI smartcard with an eIAM FED-LOGIN account as a means of identity verification in Self Service and then used for logins on the FED-LOGIN.
The FED-LOGIN Access App supports the following scenarios:
- Login directly on the mobile device on which the FED-LOGIN Access App has been installed and registered (smartphone or tablet). Function in the web browser calls up the locally installed FED-LOGIN Access App.
- Login on another device e.g. private PC, mobile VDI or tablet without local FED-LOGIN Access App installation. The user is logged in by scanning the QR code displayed by FED-LOGIN during login with the FED-LOGIN Access App.
Detailed information on using the FED-LOGIN Access App can be found here:
FED-LOGIN - Access App registratio
Note: Support for the FED-LOGIN Access App for users who are not equipped with an SG-PKI smartcard (so-called "totallySmartcardless") will be provided in a later release of eIAM.
AGOV as BYOI IdP for CH-LOGIN
AGOV is the new CH-LOGIN. In other words, the IDV identity network and IDP identity provider of the Federal Administration's "Identity and Access Management" standard service. AGOV will be available for productive use from January 2024 and will replace CH-LOGIN in due course. During parallel operation, new end users will be free to choose whether to register in CH-LOGIN or AGOV.Differences between CH-LOGIN and AGOV:
AGOV dispenses with the outdated login factors of CH-LOGIN such as passwords and SMS mTAN and relies on the highly hardened FIDO-based AGOV access app and alternatively on FIDO hardware tokens.
In addition to the Federal Authorities, AGOV is also available to all other administrative levels in Switzerland (cantons, municipalities, cities); CH-LOGIN is restricted to the Federal Administration.
For more information on the CH-LOGIN successor, see .
Please note the following regarding AGOV support:
- Basically, support for users is provided in SelfService via or FA
Q .- The contact form for a support ticket provided on this AGOV-help will be managed by Citizen Support BIT in the initial phase.
- In the contact form, the context of AGOV use in terms of the application must be specified. Here we have listed the applications for which the most new CH-LOGINs are currently being opened and where potentially the most customer inquiries can occur. All other applications are summarized in a separate category.
-
- Current list
-
- The contact form for a support ticket provided on this AGOV-help will be managed by Citizen Support BIT in the initial phase.
- Important: Cases that are reported by users to the support organizations of the offices and specialist applications can continue to be reported to the FOITT as before via Remedy Incident (create incident for Service AGOV to group AEP, thank you).
-
- Create a support ticket for the AEP group in Remedy.
-
Support of militia identities
Members of the armed forces who have to perform tasks in the area of the civilian Federal Administration are equipped with electronic identities of the civilian Federal Administration. They will also be provided with a smartcard and Active Directory account from the civilian Federal Administration. From the "Dufourspitze" release onwards, these identities will be made usable in eIAM. This means that people who are equipped with the corresponding identities can use them to access eIAM-integrated applications as part of their defined tasks.Support of CIS managed S-Users
S-users are electronic identities of systems. They are required if a system needs to authenticate itself for access to another system. Previously, such S-users were not supplied to eIAM from the Central Identity Store (CIS) and were also not visible at the data reference point (DBP). These identities are now delivered to eIAM and can be used in eIAM.Decommissioning of legacy IdPs
The FED-LOGIN 2.0 supports and extends the authentication requirements that were offered in the past in eIAM by several different IdPs. All applications that still used the legacy IdP "IdP-Cert" (authentication with Class-B/Class-C certificate from SG-PKI), "IdP-Kerb" (authentication with Kerberos ticket issued by a trusted Active Directory forest) and FED-LOGIN 1.0 have been migrated to FED-LOGIN 2.0 and can therefore benefit from the full range of functions in an enterprise context. The legacy IdP will be decommissioned with the "Dufourspitze" release.Architectural change for OIDC integrations
All applications that are connected to eIAM with OIDC (OpenID Connect) as the federation protocol are now connected directly to the eIAM TrustBroker (BTB) with the "Dufourspitze" release. Previously, these were connected via an additional intermediary between the BTB and the application. This change reduces the complexity of the integration architecture. Nothing needs to be changed on the side of the applications integrated with eIAM. The URL and signature certificates used for the federation with OIDC remain unchanged. However, as previously announced, the applications integrated with OIDC must be tested in depth for regressions.Applications that explicitly reported problems in the context of BTB migration on REF will of course not be migrated to ABN. On PROD, only applications that have explicitly given positive feedback will be migrated to BTB. The remaining applications will be migrated over the next few months.
Migrations to the new eIAM CI/CD automation platform
All eIAM components, both centralised and customer-specific, will be migrated successively and in stages to the new CI/CD (continuous integration/continuous deployment) operating platform. This container-based operating platform will help us to scale eIAM better and meet the requirements for integrations and further development in the eIAM service in the future. With the "Dufourspitze" release, various components will again be migrated from the classic eIAM operating platform to the new CI/CD operating platform. Ideally, these migrations will be transparent for you as an eIAM customer and for users of your applications. Customers who are directly affected by the migration are always informed about the planned migration.Informations about this can be found at: eIAM Automation (CI/CD)