This category is used in automated testing, monitoring and data processing. eIAM offers 4 account types of managed "techusers" for the interactive use of eIAM service via web UI, especially for the login to office applications:
- CH-LOGIN with fixed mTAN and ReCaptcha Whitelisting
suitable for applications with QoA30 and lower. - Accounts with soft certificate class C for authentication via FED-LOGIN by means of certificate suitable by default for Appl with QoA30 and lower.
- Account from Active Directory (AD) with Trust AD Resource Forrest ADR.ADMIN.CH, e.g. F-Account for authentication via FED-LOGIN over Kerberos suitable for Appl with QoA40 and lower.
- T-Account (personal test identity with dedicated SG-PKI smartcard and AD reference) for authentication via FED-LOGIN (smartcard or AD authentication via Kerberos) suitable for applications with QoA60 and lower.
Please note the following necessary preparations before ordering:
- The following accounts must already exist;
- CH-LOGIN must be created by the orderer in advance (see instructions CH-LOGIN - Registratio
n ). Important: SMS (mTan) as a second factor must also be set up in advance, otherwise no fixed mTan can be stored.
- F-Account must be ordered via Remedy MAC (Link Remed
y ). - T-Account must be ordered via Remedy MAC (Link Remed
y ).
- CH-LOGIN must be created by the orderer in advance (see instructions CH-LOGIN - Registratio
- The accounts with a soft certificate must be procured by you as the customer, in accordance with the specifications of the Admin PKI, via a Remedy MAC (enter order by order type, search for "certificates class C", -> order certificate).
- The certificate must be an X.509 class C certificate.
- The certificate is in the name of the technical user used to establish the connection.
- The certificate must contain at least the following key usages:
- X509v3 Key Usage: Digital Signature
- The public key must be included in the order as a PEM file.
- The CISO of the office (see list of CIS
O ) must approve the use of the techuser via mail. - For the lifecycle management of the "Managed Techuser", a responsible central office must be defined (not a dedicated person), which knows the technical interrelationships and can carry out certificate exchanges, e.g. an application management team. The exception here are T-accounts, which are personal.
Please note that eIAM Operations only ensures that the tech users including the identity reference (account in the client's access client) are correctly created. It's the responsibility of the GKA/BVA to grant these Techuser accounts the necessary permissions in the Access Client for the intended use.