Identity provider (IdP)

Provision of own electronic identities (internal identity providers AGOV, CH-LOGIN, SG-PKI, Kerberos, MDM)

• AGOV: eIAM provides the electronic identity www.agov.ch for citizens and business representatives in Switzerland and abroad. AGOV identities are available in self-registered (unverified) and verified quality. Cantons and their municipalities can use the eIAM identity provider "AGOV" by connecting their applications or IAM systems directly to AGOV; the Federal Administration uses AGOV exclusively via the IAM system "eIAM".
  
• CH-LOGIN: CH-LOGIN is the predecessor of AGOV and will initially be operated in parallel with AGOV, but is to be gradually phased out.
• FED-LOGIN via smartcard (SG-PKI): In addition, the electronic identities from the SG-PKI (SG-PKI) are available in eIAM.
  identities from the SG-PKI (Swiss Government Public Key Infrastructure) can also be used in eIAM for employees of the Federal Administration and SG-PKI affiliates.
  
• FED-LOGIN using Kerberos: The electronic identities of Federal Administration employees can alternatively be obtained from the target applications in dedicated internal Federal Networks as Kerberos tickets (instead of the smartcard certificate source). This procurement method results in a downgrading of the declared reliability of the subject-identifying properties conveyed in this way.
  
• FED-LOGIN withoutⁱ smartcard: Use of electronic identities of the SG-PKI by employees of the Federal Administration by means of user name, password and second factors, also from the Internet.
  ⁱugs. also referred to as "BV-Login"
  
• MDM: The Citrix Secure Hub, which is used as a sandbox on iOS devices as part of the Federal Administration's Mobile Device Management (MDM) programme, also provides a means of communicating the electronic identities of Federal Administration employees without the use of a smart card. Web applications that run in the web browser of this sandbox (Citrix Secure Web Browser) and native mobile apps in this sandbox can be automatically provided with this identity information so that employees do not have to log in, i.e. access to the sandbox itself is handled by the local mechanisms of the iOS devices, which serves as proof of authorisation for the automatic, invisible in-sandbox authentications. This type of reference results in a downgrading of the declared reliability of the subject-identifying properties conveyed in this way.

  Remark
  An MDM integrated device can only be registered in one operating environment (stage). Therefore, a device registered in the MDM PROD environment cannot access integrated applications in REF or ABN and vice versa. If a resource is to be accessed in the ABN environment via Secure Web Browser, the terminal device must also be registered in the MDM ABN environment.