Release Notes / Customer Information
Grünhorn 08.09.2024
Status: Final (03.09.2024)
The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.
Please note that dates for the completion of documentation and concepts usually refer to the end of a release period and have nothing to do with the individual release dates (Release Dates) for functionalities.
Launch date
- REF: ⇨ 02.07.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - ABN: ⇨ 14.08.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - PROD: ⇨ 08.09.2024
Sunday ⚒ Final Inspection ❎❎ ✉➔ eIAM
- CH-LOGIN - No registration of a second login factor as an opt-out option
- SharePoint - Support for federated login with MS Office applications (MS-OFBA)
- Migration from eIAM to the FOITT RHOS container platform
- Preliminary information for the next release ‘Hohberghorn’ - Separation of the SOAP web service interface (eIAM-WS) for internal and external use by the Federal Administration
Regression testing by eIAM customers
Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.Process and expectations for SR introductions
In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. Normally you have 10 working days at your disposal for this. Please note that in the first 2 days after installation you can benefit from an Early Live Support Team that will assist you promptly in the case of problems.These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.
Important
Let us know your test results (positive or negative) via Feedback form customer regression tests
eIAM contact person
If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;eIAM contact points
×
- Testing questions
- eIAM-Testing-Team: Testing-eiam@bit.admin.c
- Operational issues
- eIAM Platform Team:
eIAM-Operations@bit.admin.ch / +41 (0)58 469 88 55
Edgar Kälin FOITT (PO eIAM Platform Team) - Integration of new solutions
- eIAM Integration Team:
eIAM-Integrations@bit.admin.ch / +41 (0)58 469 88 55
Danny Rothe FOITT (PO eIAM Integration) - ePortal issues
- eIAM-ePortal-Team:
eportal@bit.admin.ch
Dilek Hoza FOITT (PO ePortal) - General questions, mgmt questions or complaints
- Roger.Zuercher@bit.admin.c
h , Service Manager eIAM / Project Manager (BO-eIAM) - New requirements for eIAM
- Show e-mail addres
s , service responsible for federated IAM (BO-eIAM)
Kadir Gelme (SM eIAM Testing)
Changes - Innovations
CH-LOGIN - No registration of a second login factor as an opt-out option
In the past, when registering new CH-LOGIN identities, the collection and use of a second login factor (authenticator app, FIDO security key or mTAN SMS) was an option that could be selected by the user if the registration resulted from calling up an application that did not require a second factor. For security reasons, most applications integrated in eIAM now require a second factor to be used in addition to the password when logging in. The registration of a second factor is now standard. The user must therefore actively choose (opt-out) not to register a second factor. If they do not do this, they will be guided through the process of registering a second factor by default. The option not to register a second factor is of course only offered during registration if the target application called up by the user allows login without a second factor.SharePoint - Support for federated login with MS Office applications (MS-OFBA)
Login to Microsoft SharePoint of the Federal Administration () takes place from the networks of the Federal Administration directly via Active Directory and without eIAM. This is not possible from the Internet. In this case, login is via eIAM. SharePoint can be accessed either from a web browser or from an MS Office application. If SharePoint is accessed directly from an MS Office application and a login is required, Microsoft uses a proprietary protocol (MS-OFBA) and a protocol client in the MS Office application that is still based on Internet Explorer. This protocol client does not support many of today's standard JavaScript functions. This manifests itself negatively through warnings and error messages when logging in. It can also mean that logins to identity providers (IdP) offered by eIAM do not work at all. With the ‘Grünhorn’ release, eIAM provides a login procedure for the use of SharePoint with MS Office applications that improves the user experience thanks to its architecture. The modern standard web browser on the user's device can be used for login.Migration from eIAM to the FOITT RHOS container platform
The ‘Red Hat OpenShift Container Platform’ (RHOS) is FOITT's strategic platform for operating containerised applications. The migration of the eIAM service from the previous ‘SUSE Rancher’ container platform to the ‘RHOS’ platform is therefore strategically important and a prerequisite for being able to offer eIAM geo-redundantly in Primus and Campus. With the last release of eIAM, ‘Finsteraarhorn’, the core components of eIAM were migrated to RHOS. As of the eIAM release ‘Grünhorn’, the RP-PEP (Reverse Proxy Policy Enforcement Point), which regulates access to applications in the Federal Administration networks, and the STS-PEP, which are used by applications without an RP-PEP, will also be migrated to the RHOS infrastructure. For you as an eIAM customer, this change is transparent and no adjustments need to be made to the applications. We may need your support for the activation of communication connections (firewall openings) between the eIAM RP-PEP and your application. This is only the case if the opening of the necessary communication connections cannot/may not be ordered by eIAM. In this case, those responsible for the application will be contacted by the eIAM team and provided with the necessary information for opening the firewall. So that you can order the firewall opening from your side.Preliminary information for the next release ‘Hohberghorn’ - Separation of the SOAP web service interface (eIAM-WS) for internal and external use by the Federal Administration
The eIAM SOAP web service interface (eIAM-WS) provides an interface via which attributes and role information from your own eIAM access client can be queried and also updated. Access to this interface is read and write by the application and can be addressed within and outside the Federal Administration's networks. Previously, an endpoint was offered for this purpose, which could be used both from the networks of the Federal Administration and from the Internet. From the upcoming ‘Hohberghorn’ release, these endpoints will be separated for security and stability reasons. From the upcoming ‘Hohberghorn’ release of eIAM, the DNS entry of this interface in the networks of the Federal Administration will now point to an internal IP address. The address from the Internet will remain the same. Please ensure in advance that the communication connections from your applications to the new endpoints are possible and that the connections are not blocked by firewalls, for example.New endpoints for eIAM-WS for web service clients from the Federal Administration networks:
| Environment / Stages | Endpoint | IP Adress | Port | Protocol |
|---|---|---|---|---|
| Reference (REF) | https://services.gate-r .eiam.admin.ch/nevisidm/services/v1_45/AdminService | 10.179.1.79 | 443 | TPC/https |
| Acceptance (ABN) | https://services.gate-a .eiam.admin.ch/nevisidm/services/v1_45/AdminService | 10.179.0.97 | 443 | TPC/https |
| Production (PROD) | https://services.gate .eiam.admin.ch/nevisidm/services/v1_45/AdminService | 10.179.0.98 | 443 | TPC/https |
Please test the connections using the IP address and port. As the DNS entries still resolve to the previous IP addresses, even from the networks of the Federal Administration. The DNS resolution will only be adjusted with the rollout of the ‘Hohberghorn’ release.