Interface eIAM-AMW

(eIAM Access Clients Web GUI)

In the eIAM service, identity and access management have been separated. The main reason is that identities are maintained centrally in the Federal Administration, while access authorisations are administered decentrally by the individual offices or external administrators on behalf of offices. Access management is carried out in the eIAM-AM of the eIAM service.
In the Access Management (AM) client, mainly authorisation roles are maintained. Of course, other attributes such as street, city, etc. can also be maintained in order to better assign the identity references to the users. However, these attributes are only available within eIAM-AM and are not delivered to the application with the SAML assertion. eIAM-AM provides interfaces in the form of a web application and a web service. Attributes may be added, changed or deleted and authorisation roles administered via these interfaces.

"The creation or modification of identities or identity references in the access client of the office is NOT permitted, as this requires complex business logic."

eIAM-AM Web GUI

IDM is the central management tool for the administration of IDM roles, clients, organisations, specialist applications, business and specialist application roles and the user data and profile. It can be accessed from the Federal Administration network and from the Internet. Prior authentication and authorisation is of course necessary. For security reasons, the interface only allows authentication via Kerberos IdP and Swiss Government PKI (SG-PKI) IdP within the BV network. Outside the BV network, authentication is only possible using Swiss Government PKI (SG-PKI) IdP.

IDM Roles & Access Assignments

eIAM-AM Web Service Interface

Authentication for Web Services SOAP
Via this SOAP-based web services interface to the access management clients in eIAM, user attributes such as authorisation roles can be changed. It is also possible to archive users via this interface. The administration of the technical users and their authorisations is done by the client itself, analogous to its web applications, in the eIAM-AM. The information about the identity of the accessing subject (technical user) and its authorisation roles in the eIAM-AM are passed on to the web service by means of a standardised SAML 2.0 token either in the SOAP header or in an HTTP header. One eIAM-WSG is required per web service to be protected.

Service Endpoints of the interface

STAGE	URL
Referenz (REF)	https://services.gate-r.eiam.admin.ch/nevisidm/services/v1_45/AdminService
Abnahmen (ABN)	https://services.gate-a.eiam.admin.ch/nevisidm/services/v1_45/AdminService
Produktion (PROD)	https://services.gate.eiam.admin.ch/nevisidm/services/v1_45/AdminService

The creation or modification of identities or identity references in the access client of the office is NOT permitted, as complex business logic is required for this.

Customer's duty to cooperate
According to the SLA, the service recipient of a SOAP-based web services interface is obliged to check at least once annually whether his interface corresponds to the current version. A WSDL-KIT 1.45 (ZIP) ZIP file with the latest version is available on the FOITT customer platform for those responsible for the application. We recommend that all application owners update the interface as soon as possible. In case of any problems please contact eIAM-Operations@bit.admin.ch.