Release Notes / Customer Information

SR-Liskamm 07.09.2025

• REF:      ⇨ 15.07.2025 ↴
  ⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅
• ABN:    ⇨ 13.08.2025 ↴
  ⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅
• PROD:  ⇨ 07.09.2025 ↴
  Sunday ⚒ Final Inspection ❎❎ ✉➔ eIAM

• CH2A Phase AGOV-First in REFERENCE / ACCEPTANCE / PRODUCTION
  
• FED-LOGIN – Support for security keys (FIDO2) for «totallySmartcardless» users
  
• FED-LOGIN – Support for multiple credentials for «totallySmartcardless» users
  
• Delegated Management (Admin Portal) – Filtering of authorization roles of an application
  
• Single sign-on (SSO) for access to eIAM MyAccount has been discontinued
  

Regression testing by eIAM customers

Process and expectations for SR introductions

These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.

Important
Let us know your release test results (positive or negative) via Feedback form customer regression tests. (only accessible from the Federal Administration network) so that any service release corrections can be made in good time.

eIAM contact person

Changes - Innovations

CH2A Phase AGOV-First in REFERENCE / ACCEPTANCE / PRODUCTION

The initiative to replace CH-LOGIN with AGOV (CH2A) is addressed in the phase «AGOV-First», marking the next step toward making AGOV the preferred government login within federal administration. In the «AGOV-First» phase, existing CH-LOGIN identities can still be used. New registrations of CH-LOGIN identities also remain supported. However, considering the upcoming replacement of CH-LOGIN by AGOV, it makes little sense for users to create new CH-LOGINs at this point. The only exception, which mandates an AGOV-Login, applies to new, verified identities (with elevated Quality of Authentication Level – QoA). Verified eGOV identities are now only offered via AGOV, allowing users to benefit from their paid, verified identity across all levels of administration and stages of eIAM.

AGOV, as Switzerland's government login, is to be promoted within the scope of the «AGOV-First» phase. Users are to be informed and motivated to use AGOV. However, no pressure should be exerted on users to switch from CH-LOGIN to AGOV during this phase. The secure transition from CH-LOGIN to AGOV should be made as easy as possible for users with existing CH-LOGIN accounts.

Further information about CH2A and AGOV-First:

The eIAM customer documentation - CH-LOGIN to AGOV (CH2A) - continuously provides relevant information for eIAM customers regarding the CH2A initiative and its individual phases.

Current information about AGOV, CH2A, and the present AGOV-First phase, including the presentation and use case demonstrations from the customer event on 11.04.2025, can also be found in the eIAM Soundingboard FCh-DTI News.

AGOV-First – Backward Compatibility

Therefore, FOITT has requested the Federal Chancellery DTI to slightly relax the premise for so-called legacy integrations. The Federal Chancellery DTI has agreed to this request as it promotes standardization and helps reduce costs for the federal administration. This means that in rare cases, legacy-integrated applications may struggle to recognize a user who has migrated from CH-LOGIN to AGOV-Login.

eIAM has prepared for such cases:
Based on appropriate feedback, a configuration adjustment can be made per affected application immediately and without cost, restoring backward compatibility.

Therefore, we ask you to test your application in the eIAM reference environment with AGOV.

With this decision, the premise is essentially upheld – without introducing global exceptions, but rather specific adaptations for individual legacy integrations.

As part of AGOV-First, applications must be specifically tested for the use case "User switches from CH-LOGIN to AGOV-Login."

It is very important to identify such findings already in the REFERENCE environment. This way, we can work together to prevent problems for your business application and its users during further rollout in the ACCEPTANCE environment (13.08.2025) and in PRODUCTION (07.09.2025).

Please consult the FAQ section for CH2A titled "Backward Compatibility." It contains relevant and important information on this topic within the CH2A context.
CH2A FAQ.

AGOV-First – Testing by Business Units

As part of AGOV-First, applications must be specifically tested for the use case “User switches from CH-LOGIN to AGOV-Login”. See also the section “Backward Compatibility.”

Please consult the FAQ section for CH2A titled “Testing.” It contains relevant and important information on testing within the CH2A FAQ.

Important note for testing from within federal administration networks:
As mentioned in these release notes, logging in from within the federal administration networks is, by default, automatically performed using FED-LOGIN. To test AGOV-First functionality using CH-LOGIN and AGOV-Login, please use the “Autologon Cookie”. Information about using the “Autologon Cookie” can be found in the eIAM documentation:
Testing without Autologon.

AGOV-First – Adjustment of User Guidance / User Support Published by Applications

eIAM Help

Standardization of Login Method Selection (Home Realm Discovery)
As part of AGOV-First, the selection of the login method - i.e., the choice of identity provider (HRD) — has been revised and standardized. Previously, eIAM offered two different options: On one hand, the so-called “tile view,” which displayed all identity providers as tiles. On the other hand, the so-called “CH-LOGIN-First” view, which allowed direct login using CH-LOGIN, while other identity providers were presented as alternatives. Additionally, the selection behavior differed significantly between small screens (smartphones) and large screens laptops/desktops). This inconsistent behavior in eIAM has repeatedly led to confusion among users. Moreover, it contradicts the principle of “AGOV-First,” which aims to promote AGOV as the government login of Switzerland and place it at the forefront for users. This is also the reason why, in the new Home Realm Discovery, AGOV is always presented as the top identity provider for applications that support the eGOV context. Through an information box, users are informed about AGOV as the Swiss government login and encouraged to use it.

Desktop view: Selecting the login method

Mobile view: Selecting the login method

Transparent Blocking of Unsupported Login Methods
eIAM supports various login methods and identity providers. These providers offer identities of varying quality — generally up to QoA30. For many federal administration applications in the eGOV context, this is sufficient. If an application requires a higher quality of authentication, then — with AGOV-First — identity providers whose identities do not meet the requirements will not simply be hidden. Instead, they will still be shown to the user but marked as blocked in a visible manner. The user is transparently informed why their previously used identity in eIAM cannot be used and what steps are necessary to access the desired application in the future.This improves the user experience in eIAM for applications with higher QoA requirements.

Information about the eIAM QoA levels can be found here: Quality of Authentication QoA

Blocking of unsupported login methods

FED-LOGIN – Default Login Method in Federal Administration Networks
Most applications of the federal administration that are accessed by users from within federal administration networks expect the user to log in using the FED-LOGIN method. There are only a few exceptional cases where a small group of users (e.g., testers) wish to use other identities (such as CH-LOGIN or AGOV) to access federal web applications from within the federal networks. Until now, this led to all users having to first select the login method (typically FED-LOGIN). To improve the overall user experience for authentication within federal administration networks, this behavior is being corrected with AGOV-First. If FED-LOGIN is configured as one of the possible login methods for an application, FED-LOGIN will always be automatically selected.

Users with special requirements who want to override this behavior can use the eIAM feature “Autologon Cookie” to bypass automatic login with FED-LOGIN in federal networks.

Information on how to use the “Autologon Cookie” can be found in the eIAM help section:
Testing without autologon.

Support for Users Switching from CH-LOGIN to AGOV-Login (CH2A Wizard)
To make the secure switch from CH-LOGIN to AGOV-Login as easy as possible for approximately 2.8 million users with an existing CH-LOGIN, a wizard was developed in eIAM. When a user accesses eIAM for the first time using their AGOV-Login, the wizard checks whether a CH-LOGIN exists in eIAM that is registered with the same email address as the AGOV-Login. If such an account is found, the user is informed that a corresponding CH-LOGIN exists with the same email address, and is given the option to replace the CH-LOGIN with their AGOV-Login. To do this, the user must log in using their eIAM-registered credentials (password, and second factor if registered) to prove they are the legitimate owner of the CH-LOGIN. If no CH-LOGIN with the email address reported by AGOV is found during login, the user is asked whether they own a CH-LOGIN registered with a different email address and would like to replace it with their AGOV-Login — or whether they don’t own a CH-LOGIN at all. If the user wants to use an existing CH-LOGIN, they must provide their CH-LOGIN email address, password, and possibly second factor to authenticate as the legitimate owner.

In both cases, the eIAM identity is linked to the user's AGOV-Login, and the previously used CH-LOGIN is archived. The user is informed that their CH-LOGIN has been deleted and that AGOV must be used for login from now on. All access rights remain intact during this process.

If the user confirms that they do not own a CH-LOGIN, a new eIAM identity is created for them.

Support for Users Upgrading from CH-LOGIN to AGOV and Recoveries
Naturally, during the transition from CH-LOGIN to AGOV, there will be cases in which users can no longer access their CH-LOGIN login factors (password / second factor). Even in such cases, security must remain the highest priority. The wizard offers the user a recovery function for password and second factors. However, it is optimized to be as user-friendly as possible. It makes little sense for users to create a new password or second factor during recovery solely for the transition, especially if these factors will never be used again afterward. Instead, fallback mechanisms — such as the registered email address or security questions — are used to authenticate the rightful owner of the CH-LOGIN. Unnecessary input of login factors that will no longer be used is consistently avoided.

Support for Users with Verified CH-LOGIN Identities During Upgrade to AGOV
Users with CH-LOGIN identities that were verified either through the so-called nHEC+ verification process (with video identification) or through the VASCO token issuance process retain their verification status — and thus the QoA of their identity in eIAM — even after upgrading from CH-LOGIN to AGOV-Login.This verification status remains valid until the expiration date of the identity verification (5 years after the video identification or the delivery of the VASCO token), even if the upgrade is performed using an unverified AGOV-Login. From the moment the user begins using their eIAM identity with a verified AGOV-Login, AGOV becomes the authoritative source for the verification status of the identity.

CH-LOGIN – Support for Users After Upgrading from CH-LOGIN to AGOV-Login
It is expected that some users will simply forget that they already switched from CH-LOGIN to AGOV-Login in the past — and will later attempt in vain to log in using their old CH-LOGIN. In such cases, eIAM will notify the user that they have already completed the upgrade to AGOV-Login:

• User attempts to log in with their former CH-LOGIN (identified via email address).
  
• User attempts to recover the password of their former CH-LOGIN because login fails.
  
• User attempts to register a new CH-LOGIN using the same email address as their old CH-LOGIN or their already active AGOV-Login in eIAM.
  

CH-LOGIN – Support for New Users When Choosing an Identity Provider
With AGOV-First, after selecting CH-LOGIN and choosing to register a new CH-LOGIN, the user is informed about AGOV and encouraged to register an AGOV-Login instead of a CH-LOGIN. However, both options are offered. The user can decide whether to register an AGOV-Login or a CH-LOGIN. There is one exception to this behavior: If the user accesses an application that requires a higher quality of authentication (> QoA30), then the user is informed that new verified identities are only offered via AGOV-Login. In this case, the user can either register an AGOV-Login or cancel the registration process.

Information about registering for an AGOV-Login instead of a CH-LOGIN.

CH-LOGIN – Phase-Out of Support for VASCO Token
Until now, CH-LOGIN supported the registration of VASCO tokens issued by FOITT as a strong second factor. With AGOV-First, it is no longer possible to newly register VASCO tokens as an authentication method for CH-LOGIN identities. CH-LOGIN identities that already have a registered VASCO token will continue to function with VASCO as a second factor.

Note: Please note that this refers explicitly to the new registration of VASCO tokens for CH-LOGIN identities. The "OTP login" is a different login method. It is not affected by this change and should not be confused with CH-LOGIN.

CH-LOGIN TILE

OTP-Login

CH-LOGIN – Phase-Out of Support for Identity Verification via Video Identification
Until now, it was possible to enhance CH-LOGIN identities with high-level identity credentials (such as Mobile ID / FIDO2 security keys) through a verification process using video identification (VIPS), raising the QoA level from QoA30 to QoA50. With AGOV-First, this upgrade is no longer offered for CH-LOGIN identities. Users who now require a verified identity in the eGOV context create an AGOV-Login, complete the identity verification process within AGOV, and upgrade their existing CH-LOGIN using their verified AGOV-Login. CH-LOGIN identities that underwent this verification process prior to AGOV-First retain their verification status until the end of the validity period of the identification (5 years after video identification was completed).

AGOV – Support for Verified AGOV Identities in eIAM (QoA50)
AGOV identities have already been usable within eIAM. However, they were treated similarly to other so-called Bring Your Own Identity (BYOI) identities — as alternative login methods in the CH-LOGIN context — and were only accepted at a “normal” level, i.e., “medium” according to Si001. This applied even in cases where authentication was performed using a high-level credential and the identity of the AGOV-Login holder had been verified using a high-quality verification process. With AGOV-First, users can now also use their AGOV-Login for federal administration applications in the eGOV context that require a high authentication quality (up to QoA50).

If the QoA level is too low, the user is informed after authentication that a verified AGOV-Login is required. They are then guided through the process of obtaining a verified AGOV-Login at QoA50 level. The process is described here: Verified AGOV-Login (QoA50).

With the “Liskamm” release and the rollout of AGOV-First, AGOV identities can now be used in eIAM up to QoA Level QoA51. See also: “AGOV – Support for AGOV Identities with Verified AHV Number in eIAM (QoA51)”

Information on the eIAM QoA levels can be found here: Quality of Authentication QoA

AGOV – Support for AGOV Identities with Verified AHV Number in eIAM (QoA51)
AGOV is capable of providing a verified AHV number (Swiss social security number) for users with an AGOV-Login. The basis for this is a verified AGOV identity. Through verification of the AHV number against the ZAS register, AGOV confirms that the AHV number truly belongs to the person in question. As a result, applications integrated with eIAM can now request an authentication quality level of QoA51. It is important to note that such applications can only be used with AGOV as the identity provider, since only AGOV can supply the verified AHV number. Naturally, this means the application can only be used by individuals who possess an AHV number.

If the QoA level is too low, the user is informed after authentication that a verified AGOV-Login is required and is guided through the process of obtaining a verified AGOV-Login at QoA51 level.
The process is described here: Verified AGOV-Login with SSN (AHV) number (QoA51).

Information on eIAM QoA levels can be found here: Quality of Authentication QoA

Automatic Update of Identity Data in eIAM – Just-in-Time Provisioning
Before AGOV-First, users had to manually update identity-related data (first name, last name, email address, and preferred correspondence language) in eIAM MyAccount — even if they were using an external identity provider. With AGOV-First, the identity-defining information — first name, last name, email address, and preferred correspondence language — is automatically updated in eIAM at every login. The advantage for the user: They can manage their personal data centrally with their identity provider. This eliminates the need for duplicated data management both at the identity provider and in eIAM.

eIAM MyAccount – Editing of Identity Data Disabled for External Identity Providers
With AGOV-First, editing of identity data in the “User Profile” tab of eIAM MyAccount is disabled if the user is using an identity from an external identity provider. This is because, with AGOV-First, the identity data is automatically updated at every login using the data provided by the identity provider. The user is informed in MyAccount that the data is being supplied by the external identity provider and that updates must be made directly there, if needed. The updated data from the external identity provider is shown to the user in eIAM MyAccount after their next login.

FED-LOGIN – Support for security keys (FIDO2) for «totallySmartcardless» users

With the «Liskamm» release, the range of supported credentials has been expanded. Users can now choose to register either the FED-LOGIN Access App or a physical security key (FIDO2) as part of the «totallySmartcardless» onboarding process. With both the FED-LOGIN Access App and the security key, users achieve the high authentication assurance level (QoA50). This means that FED-LOGIN now supports the same alternative credentials for «totallySmartcardless» users as for users with a smartcard.

FED-LOGIN – Support for multiple credentials for «totallySmartcardless» users

Starting with the "Liskamm" release, FED-LOGIN «totallySmartcardless» users can, after logging in with their already registered credential, register additional credentials via eIAM-MyAccount. Supported in parallel are up to five FED-LOGIN Access Apps (on different devices) and up to four different physical security keys (FIDO2). This feature also allows the user to switch their credentials via self-service – for example, when changing or resetting their mobile phone.

Delegated Management (Admin Portal) – Filtering of authorization roles of an application

Single sign-on (SSO) for access to eIAM MyAccount has been discontinued