SR-Finsteraarhorn — eIAM - Technical Documentation

Release Notes / Customer Information

Finsteraarhorn 07.07.2024

Status: Final (01.07.2024)

The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.

Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.

Launch date

REF: ⇨ 29.04.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅
ABN: ⇨ 29.05.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅
PROD: ⇨ 07.07.2024
Sunday ⚒ Final Inspection ❎❎ ✉➔ eIAM

Changes - Innovations

FED-LOGIN - Support of Access App for users without smartcard

Use FED-LOGIN - Access App for authentication: Remember decision

FED-LOGIN - Alternatives to SSO login with Kerberos ticket

FED-LOGIN, CH-LOGIN - New behaviour for PW Reset

Regression testing by eIAM customers

Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.

Process and expectations for SR introductions

In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. Normally you have 10 working days at your disposal for this. Please note that in the first 2 days after installation you can benefit from an Early Live Support Team that will assist you promptly in the case of problems.

These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.

Important
Let us know your test results (positive or negative) via Feedback form customer regression tests. (only accessible from the Federal Administration network) so that any service release corrections can be made in good time.

eIAM contact person

If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;

eIAM contact points

Testing questions

eIAM-Testing-Team:

Testing-eiam@bit.admin.ch

Operational issues

eIAM Platform Team:
eIAM-Operations@bit.admin.ch / +41 (0)58 469 88 55
Edgar Kälin BIT (PO eIAM Platform Team)

Integration of new solutions

eIAM Integration Team:
eIAM-Integrations@bit.admin.ch / +41 (0)58 469 88 55
Danny Rothe BIT (PO eIAM Integration)

ePortal issues

eIAM-ePortal-Team:
eportal@bit.admin.ch
Dilek Hoza BIT (PO ePortal)

General questions, mgmt questions or complaints

Roger.Zuercher@bit.admin.ch , Service Manager eIAM / Project Manager (BO-eIAM)

New requirements for eIAM

Show e-mail address, service responsible for federated IAM (BO-eIAM)

Changes - Innovations

FED-LOGIN - Support of Access App for users without smartcard

FED-LOGIN supports the use of login factors as an alternative to the smartcard. This also applies to people who are not equipped with a smartcard (totally smartcardless). Previously, users without a smartcard had to use a password and mobile ID to log in. Users with a FED-LOGIN identity who are not equipped with a smartcard can now also register the FED-LOGIN Access app as a login factor during onboarding. This removes the restriction that the user must have a Mobile ID-capable SIM card from a Swiss telecommunications provider. As part of the Passwordless strategy, new registrations for "totally Smartcardless" must be made with the FED-LOGIN Access app from this release onwards. Mobile ID is no longer offered for new registrations. Link to the instructions: FED-LOGIN totally smartcardless

Use FED-LOGIN - Access App for authentication Remember decision

: FED-LOGIN with Access App

If a user with a FED-LOGIN identity authenticates themselves with a smartphone, they preferably do this with the FED-LOGIN Access App. From release "Finsteraarhorn" onwards, the user can save the decision to use the FED-LOGIN Access app for login in the browser. This means that it is not necessary to select the FED-LOGIN Access app again for future logins. The browser remembers this decision. Please note that the pop-up asking the user to confirm whether the FED-LOGIN Access app may be opened is a function of the smartphone's operating system and cannot be skipped.

FED-LOGIN - Alternatives to SSO login with Kerberos ticket

If authentication using the FED-LOGIN with a Kerberos ticket (Active Directory SSO) was successful, but no identity with a corresponding Active Directory account could be found in eIAM, the entire authentication was considered to have failed. The user had no option to log in with their smartcard or the FED-LOGIN Access App as an alternative to Active Directory SSO. As of the Finsteraarhorn release, FED-LOGIN always offers the user alternative login options if authentication via Kerberos ticket was not possible.

FED-LOGIN, CH-LOGIN - New behaviour for PW Reset

Previously, the status (success, failed, etc.) of the IDP (CH-LOGIN, FED-LOGIN) was always forwarded to the relying party as a status responder code during the password reset flow. If the PEP was the recipient of the status responder code, it could resolve it accordingly and display a meaningful message to the user (password reset was successful/failed, etc.). However, if the status responder code was passed on to Keycloak, it was unable to resolve the code and displayed an "unattractive", uninformative message to the user. With Finsteraarhorn, the forwarding of a status responder code in the event of a password reset is now prevented and the IDP (CH-LOGIN, FED-LOGIN) is now directly responsible for displaying a meaningful message.

New attribute "Date of birth" available in eIAM

As of the "Finsteraarhorn" release, a new attribute "Date of birth" is available in eIAM. This attribute can be supplied in the eIAM token at runtime. The subject's date of birth is only supplied if it has been verified. Verification is carried out on the one hand by HR processes for internal employees of the Federal Administration and on the other hand by identity verification in AGOV or CH-LOGIN. The date of birth is an optional attribute that is only supplied by eIAM in the token if the customer requests it via the application integration.

Please note that the date of birth cannot be supplied for external employees of the Federal Administration and employees of the cantonal administrations with a FED-LOGIN identity, as this is not verified. Although the quality of authentication is at a high level (QoA50/QoA60), for example with a smartcard.