Consistency-Checker (Enforcer)

Initial situation

eIAM user master data and the recognition of users (special position of the e-mail address).

The data describing a user who authenticates via eIAM mainly consists of first name, last name and e-mail address of the user.

In addition, there are technical identifiers in the sense of an "eIAM account number", e.g. the federatedID (VerbundID), which enable the unambiguous recognition of the user in the target application.

In the data describing the user, there may also be ambiguous identifiers such as U/X numbers, abbreviations, etc.; these may not be used to recognise users.

As a technical identifier for user recognition, certain target applications use the user's e-mail address, in particular certain Microsoft solutions use the user's e-mail address as a mandatory identifier. The e-mail address as a one-to-one recognition element is not recommended by the FOITT, but it is a common way.

Definition eIAM "Root Account" and "Access Account"

In eIAM there is only one root account per authenticated identity of a user (entire Federal Administration). In the root accounts (federated identities), the users are not assigned any rights for target applications. The master attributes of the user are kept in the root accounts.

Master attributes of the users
×

The following user master attributes are automatically synchronised withe the Consistency-Checker from the root account to the access account(s):
- Name (name)
- First name (firstName)
- E-mail (email)
- AddressLine1 (adressLine1)
- AddressLine2 (adressLine2)
- Status ..active, inactive or archived.
- Source system

A root account of a user can point to several access accounts (identity references). In the access accounts, the users are assigned rights for target applications. The access account thus functions as a dedicated data space for permissions, usually with the focus on the office (Access Client). The user master data record in the access account is taken over from the root account during the initial set-up. The data in the access account (surname, first name, e-mail address) is transferred to the target application at runtime using eIAM authentication tokens.

Identities in eIAM & Units, Profiles and Roles
Identities in eIAM & Units, Profiles and Roles

Synchronisation of user master data from root account to access accounts
  • For verified electronic identities (QoA50 and QoA60), the data in the access account is always updated, i.e. synchronised with the root account and cannot be changed manually.
  • For not verified electronic identities (<QoA50), the initial user master data can be manually changed by the user or delegated manager in the access account (asynchronous).

New: eIAM's Consistency-Checker

With the activation of the Consistency-Checker, all user master data between the root account and the access account are now automatically updated, i.e. synchronised, even in the case of not verified electronic identities.

Rollout of the Consitency-Checker

In the medium term, the eIAM Consistency-Checker must be activated for every eIAM access account for governance reasons. Therefore, eIAM plans a proactive rollout.

In the eIAM access accounts, it must be ensured that all connected target applications can handle changing first names, names and e-mail addresses! It is the task of the eIAM service users in the offices to ensure this. If a target application uses the e-mail address as a recognition feature, this is not guaranteed and must be adapted.

The initial, proactive activation takes place in the eIAM release "Traminer" (09.10.2022). eIAM supports the rollout by saving the original information in the access accounts before synchronisation by the Consistency-Checker. This allows a simple rollback to be initiated in the event of any problems occurring. On the one hand, this supports the proactive rollout similar to the FED-LOGIN 2.0 and on the other hand, it allows the offices to easily identify any problem areas and the need to adapt their applications.