Federal Trustbroker (BTB)

From autumn 2022, eIAM was gradually moved from virtual machines to the FOITT container infrastructure. With these moves, the functionality of the eIAM trust brokers, which were responsible for identity and attribute brokering, was migrated to the eIAM in-house development called Bundestrustbroker (BTB). This container infrastructure with the BTB offers the following advantages:

uninterrupted maintenance
high scalability
formation of SSO domains across administrative boundaries
Canary Testing

Which functional requirements does the current BTB cover?

Replacement for the existing eIAM Trustbroker, which is based on Microsoft ADFS and operated on virtual machines.
Portal functionality for pre-authentication, the so-called Home Realm Discovery (HRD), so that the user can select IdPs (adopted from ADFS).
Possible filtering, conversion and enrichment of claims provider attributes with authorisation and other required authorisation data (adopted from ADFS).
New: supports single sign-on/single log-out between multiple relying parties based on SSO/SLO policies and own session tracking.
New: Possibility of a pre-authorisation functionality, e.g. if required access roles are missing during onboarding.

With the introduction of PEP functionality on the BTB, the eIAM architecture for standard eIAM integrations could be simplified, as dedicated PEPs are no longer necessary.

Which technical requirements does the current BTB fulfil?

It runs on a container platform for easy instantiation, rollover and scalability (Kubernetes, specifically FOITT Atlantica CCP cluster ccp05).
It supports Canary Deployment to check changes before they affect users (so testers can use cookies to check new versions before they are released)
Alignment of the technology stack with FOITT standards to optimise platform maintenance work (Java, Spring-Boot, Opensaml, Angular).
Development and configuration using the GitOps approach (operational framework) i.e. a complete and traceable setup in FOITT Bitbucket.
Link GitHub: trustbroker.swiss

BTB rollout for applications

The BTB was proactively rolled out and activated with the Syrah service release on 08/01/2023. With this further development of the Bundestrustbroker as a federation component for eIAM, we set the course for the future. We eliminated technological dependencies and reduced the complexity in the eIAM architecture. At the same time, the further development ensured that the component remains fit for important future requirements.

The eIAM integrated applications were then gradually transferred to the BTB and CI/CD container infrastructure. This migration was transparent for all applications and completed by the end of Q1 2024 without any adverse effects.

Link to the eIAM automation platform: eIAM Automation and QA