Release Notes / Customer Information

>>> Diolinoir 7 August 2022 <<<

Status: Final


The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.

Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.

Introduction dates / innovations


REF: 28 June 2022  <Tests!> ABN: 13 July 2022  <Tests!>  PROD: 7 August 2022

  • Rollout of nHEC+ version 1 with the following features
    • New QoA concept
    • VIPS (video identification)
    • CH-LOGIN with Mobile ID

  • Removal of ID linking
    • the ID linking between the federal account and the eGOV account (CH-LOGIN) is removed and tidied up for all users.

  • Consistency Checker (CC)
    • The CC was introduced with the "Freiburg" service release for the VIPS identification process. With the introduction of the Diolinoir release, the synchronisation of the root attributes between the root and access accounts can now be ensured for all federated identities. The activation of this synchronisation is recommended.

  • The user root account creation is prevented during HR onboarding.

Process and expectations for SR introductions

In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. You have at least 14 days per stage to do this. Please plan your test activities early in these periods so that any bug fix releases are possible in good time.

These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.

Important
If you encounter problems during your regression tests, please inform our testing team immediately at: Testing-eiam@bit.admin.ch. Our colleagues will take your input, check it and consolidate it. We would like to thank you for your important assistance and support in order to maintain and further improve the high quality standard of the service releases!

eIAM contact person

If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;

eIAM contact points
×

Release Notes

nHEC+ Version 1

nHEC+ makes it possible to verify the self-registered accounts of CH-LOGIN with their non-verified attributes such as surname and first name by means of video identification. The advantage of this is that a higher quality of the attributes and also a higher authentication strength can be achieved than before. This means that it is now also possible for CH logins to access dedicated systems that require a high quality of authentication and verification and are dependent on receiving correct identity data. The quality of this is mapped with the QoA concept. In order to achieve this high quality, another authentication procedure has been introduced, the Mobile ID. With this procedure and the video identification, we obtain a verified electronic identity with the QoA50.

Even without the use of Mobile ID, nHEC+ with mTAN or AuthAPP with video identification offers a great advantage. Although a lower QoA40 is achieved here, the attributes are present in the eIAM with high quality. Applications that have established their own verification processes for onboarding today or will need them in the future can now rely on a new, efficient solution to invite or directly authorise verified identities in their applications.

With this release, the first version of nHEC+ is rolled out. The first version includes the following features:

  • New QoA concept
  • CH-LOGIN with Mobile ID
  • VIPS (video identification)
QoA concept
The new QoA (Quality of Authentication) concept is mainly concerned with the different QoA classes and their definition and classification.

Quality of Authentication (QoA)

CH-LOGIN with Mobile ID and VIPS
Since nHEC+ requires strong authentication, the user must set up the Mobile ID credential in MyAccount. This is done in the same way as it is possible for the FED-LOGIN 2.o. After a successful registration of the Mobile ID, the user can log in to the MyAccount with the Mobile ID and perform the video verification to obtain an nHEC+ identity.

Self-registration unaccounted for or with video identification

Removal ID linking

In eIAM, there are several hundred users who use the ID linking functionality to access the same accounts via CH-LOGIN or an enterprise IdP (Kerberos, Cert). This was an interesting feauture in the past, as it allowed one to use CH-LOGIN to access resources assigned to the federated identity, which was reserved for enterprise use. The original driver of this functionality was that an employee could also access resources in the company via an unmanaged device, e.g. IPAD, private PC etc.

Due to the defined separation of Enterprise and eGov, this linking is no longer allowed and violates governance. Moreover, it is no longer needed, as the new Fedlogin now also offers the possibility to access corporate resources from an unmanaged device without any problems.

Users who use ID linking are informed that they will no longer be able to log in to their corporate identity with their CH login. This means that all rights and privileges that were accessible via the referenced corporate identity can no longer be used with the linked CH login, but only via the FED login. From a technical point of view, it was decided to delete the linked CH login with the removal of the ID linking. If you need a CH login again for private purposes, you will have to create a new login with a private email address.

You can continue to access your resources and applications as usual via the Fed login. It may be necessary to activate external access and other authentication procedures for your Fed login.

Consistency Checker (CC)

The Consistency Checker is the most important renewal. Until now, the user master attributes (surname, first name, e-mail, etc.) were not synchronised between the federation identity (root account) and the identity references (access accounts). As a result, the root attributes between the root account and the user's access accounts were no longer consistent over time. The users suffered, but also the application operators, because the data in the application was not updated. The Consistency Checker (CC) supports the consistency of data in eIAM. It synchronises the user master attributes from the root account to the access accounts. The CC was introduced with the release "Freiburger". Initially, only identities that go through the new identification process (VIPS) are synchronised. With the "Diolinoir" release, this synchronisation can now be adopted for all identity references in the access client via whitelisting. In the medium term, the eIAM Consistency Checker must be activated for every eIAM Access Account for governance reasons. Therefore, eIAM plans a proactive rollout.

Important: eIAM customers / offices currently do not have to do anything. The eIAM team is actively approaching customers about switching to the Consistency Checker.

For more detailed information, see

Consistency-Checker (Enforcer)

Prevent root account creation

In rare cases it can happen that an employee generates a root account via an access request in eIAM, although this is intended for employees or cantonal employees via automatic provisioning. This timing problem has led to recurring problems and support requests, which is why the root account creation by the user is now prevented. The user receives the following message.

If a new employee is created in the HR system, provisioning generally takes as follows:

  • Federal employee: one hour
  • Cantonal employee: one day
If after one day they are still unable to successfully log in, please contact support. In very rare cases the account has to be created manually by our support, this is often the case with technical accounts.
Error message
Error message when a SmartCard is used but no federation identity is yet available