Release Notes / Customer Information
Eiger 21.04.2024
Status: Final (08.04.2024)
The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.
Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.
Launch date
- REF: ⇨ 27.02.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - ABN: ⇨ 20.03.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - PROD: ⇨ 21.04.2024
Sunday ⚒ Final Inspection ❎❎ ✉➔ eIAM
- FED-LOGIN - Support for multiple published smartcard certificates
- CH-LOGIN - New registration - Restriction of mTAN (SMS) to Swiss mobile phone numbers - Amendment dated 23.04.2024
- CH-LOGIN - Improvement of BYOI IdP selection
- Architectural change for OIDC integrations
- Migrations to the new eIAM CI/CD automation platform
Regression testing by eIAM customers
Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.Process and expectations for SR introductions
In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. Normally you have 10 working days at your disposal for this. Please note that in the first 2 days after installation you can benefit from an Early Live Support Team that will assist you promptly in the case of problems.These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.
Important
Let us know your test results (positive or negative) via Feedback form customer regression tests
eIAM contact person
If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;eIAM contact points
×
- Testing questions
- eIAM-Testing-Team: Testing-eiam@bit.admin.c
- .
- Operational issues
- eIAM Platform Team:
eIAM-Operations@bit.admin.ch / +41 (0)58 469 88 55
Edgar Kälin BIT (PO eIAM Platform Team) - Integration of new solutions
- eIAM Integration Team:
eIAM-Integrations@bit.admin.ch / +41 (0)58 469 88 55
Danny Rothe BIT (PO eIAM Integration) - eIAM-Integrations@bit.admin.c
h / +41 (0)58 469 88 55 - General questions, mgmt questions or complaints
- Roger.Zuercher@bit.admin.c
h , Service Manager eIAM / Project Manager (BO-eIAM) - New requirements for eIAM
- Show e-mail addres
s , service responsible for federated IAM (BO-eIAM)
Kadir Gelme (SM eIAM Testing)
Changes - Innovations
FED-LOGIN - Support for multiple published smartcard certificates
Previously, people with several published smartcard certificates could only use one of the certificates for authentication to FED-LOGIN because eIAM only supported one certificate per identity. In the past, this meant that users with several smartcards were unable to authenticate themselves to FED-LOGIN because their currently used smartcard certificate was not recognised in eIAM. Multiple smartcard-based certificates can now be used per identity to log in to FED-LOGIN.CH-LOGIN - New registration - Restriction of mTAN (SMS) to Swiss mobile phone numbers - Amendment dated 23.04.2024
CH-LOGIN supports the mTAN (SMS) as a second authentication factor. SMS services are increasingly the target of attacks aimed at sending large numbers of SMS messages in countries where telecommunications operators are poorly regulated. The attackers take advantage of this to obtain a portion of the mobile operator's roaming charges. Unfortunately, CH-LOGIN was and still is a victim of such SMS pumping attacks. Sending such SMS messages incurs high costs for the eIAM service, without the SMS messages sent having any useful value for the service. The eIAM service and ChF TNI have therefore decided to restrict the use of SMS as a second authentication factor for registration to Swiss mobile phone numbers (country code +41). Foreign mobile numbers already registered are not affected by this change and can continue to be used. The authentication factors "FIDO security key" and "TOTP (Authenticator App)" are available as a second factor for new CH-LOGIN identity registrations for people without a Swiss mobile phone number.CH-LOGIN - Improvement of BYOI IdP selection
CH-LOGIN enables login with external identities through the federation with so-called Bring Your Own Identity (BYOI) providers. These are e.g. AGOV, BE-LOGIN, Switch edu-ID and others. Previously, once one of these identity providers had been selected for the current authentication, it was no longer possible to select another identity provider for a certain period of time. Even if the user completely restarted authentication from within the application. As a result, CH-LOGIN no longer displayed a selection to the user. Their browser was automatically redirected to the previously selected identity provider. This had negative effects, especially if a user had mistakenly selected an incorrect identity provider. This behaviour will be corrected with the "Eiger" release. The user can now always select the BYOI identity provider for a new authentication request on CH-LOGIN.Architectural change for OIDC integrations
All applications that are connected to eIAM with OIDC (OpenID Connect) as the federation protocol are now connected directly to the eIAM TrustBroker (BTB) with the "Eiger" service release. Previously, these were connected via an additional intermediary between the BTB and the application. This change reduces the complexity of the integration architecture. Nothing needs to be changed on the side of the applications integrated with eIAM. The URL and signature certificates used for the federation with OIDC remain unchanged. However, as previously announced, the applications integrated with OIDC must be tested in depth for regressions.Applications that explicitly reported problems in the context of BTB migration on REF will of course not be migrated to ABN. On PROD, only applications that have explicitly given positive feedback will be migrated to BTB. The remaining applications will be migrated over the next few months.
Migrations to the new eIAM CI/CD automation platform
All eIAM components, both centralised and customer-specific, will be migrated successively and in stages to the new CI/CD (continuous integration/continuous deployment) operating platform. This container-based operating platform will help us to scale eIAM better and meet the requirements for integrations and further development in the eIAM service in the future. With the "Eiger" service release, various components will again be migrated from the classic eIAM operating platform to the new CI/CD operating platform. Ideally, these migrations will be transparent for you as an eIAM customer and for users of your applications. Customers who are directly affected by the migration are always informed about the planned migration.Informations about this can be found at: eIAM Automation (CI/CD)