Release Notes / Customer Information
Hohberghorn 03.11.2024
The Release Notes (RN) report on the enhancements, as well as new functionalities and changes to the eIAM Services as per the Roadmap DTI.
Launch date
- REF: ⇨ 12.09.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - ABN: ⇨ 09.10.2024 ↴
⚒ Regression testing ❌❎ ✉➔ eIAM ⚒✅ - PROD: ⇨ 03.11.2024
Sunday ⚒ Final Inspection ❎❎ ✉➔ eIAM
- Separation of the SOAP web service interface (eIAM-WS) for internal and external use by the Federal Administration
- Introduction of new (non-standard) claim ‘adminOrganisationUID’ for identities in the enterprise context
- Support for testing with eIAM – Canary testing
- Support for testing with eIAM - prevent autologon
- The provisioning of eIAM in the Campus Data Center in Frauenfeld
Regression testing by eIAM customers
Your cooperation is necessary and very important. In the last releases, we had problems in the higher operating environments (ABN, PROD) only where applications had not carried out their regression tests in advance on REF and/or ABN. These are unnecessary problems which we can avoid together. We count on your support here. It is important that you carry out your regression tests carefully and report any problems to the testing team promptly and in a qualified manner.Process and expectations for SR introductions
In order to be able to guarantee the stable and secure productive eIAM service, we require meaningful regression tests of the applications in the REF and ABN instances until the SR rollout to PRODUCTION. Normally you have 10 working days at your disposal for this. Please note that in the first 2 days after installation you can benefit from an Early Live Support Team that will assist you promptly in the case of problems.These release notes will help you to plan the regression tests in relation to the eIAM functionalities you use and will also serve as a source of information for your end customer communication. Please note that the final version of the release notes with all necessary details will be delivered shortly before the productive installation.
Important
Let us know your test results (positive or negative) via Feedback form customer regression tests
eIAM contact person
If you have any questions or concerns about eIAM, ePortal or PAMS you can contact the following offices or persons;eIAM contact points
- Testing questions
- eIAM-Testing-Team: Testing-eiam@bit.admin.c
- Operational issues
- eIAM Platform Team:
eIAM-Operations@bit.admin.ch / +41 (0)58 469 88 55
Edgar Kälin FOITT (PO eIAM Platform Team) - Integration of new solutions
- eIAM Integration Team:
eIAM-Integrations@bit.admin.ch / +41 (0)58 469 88 55
Danny Rothe FOITT (PO eIAM Integration) - ePortal issues
- eIAM-ePortal-Team:
eportal@bit.admin.ch
Dilek Hoza FOITT (PO ePortal) - General questions, mgmt questions or complaints
- Roger.Zuercher@bit.admin.c
h , Service Manager eIAM / Project Manager (BO-eIAM) - New requirements for eIAM
- Show e-mail addres
s , service responsible for federated IAM (BO-eIAM)
Kadir Gelme (SM eIAM Testing)
Changes - Innovations
Separation of the SOAP web service interface (eIAM-WS) for internal and external use by the Federal Administration
The eIAM SOAP Web Service interface (eIAM-WS) offers an interface through which attributes and role information can be queried and updated from your own eIAM access tenant. Access to this interface is read and write and can be used both within and outside the networks of the Federal Administration. Previously, a single endpoint was provided, which could be accessed from both the Federal Administration networks and the internet. As announced in the pre-release information for the "Grünhorn" release, these endpoints will be separated with the "Hohberghorn" release for security and stability reasons. From the "Hohberghorn" release of eIAM, the DNS entry for this interface in the Federal Administration networks (BVerw) will point to an internal IP address. The address for internet access will remain the same. Please ensure that your applications can connect to the new endpoints and that the connections are not blocked by firewalls, for example.New endpoints for eIAM-WS for web service clients from the Federal Administration networks:
| Environment / Stages | Endpoint | IP Adress | Port | Protocol |
|---|---|---|---|---|
| Reference (REF) | https://services.gate-r .eiam.admin.ch/nevisidm/services/v1_45/AdminService | 10.179.1.79 | 443 | TPC/https |
| Acceptance (ABN) | https://services.gate-a .eiam.admin.ch/nevisidm/services/v1_45/AdminService | 10.179.0.97 | 443 | TPC/https |
| Production (PROD) | https://services.gate .eiam.admin.ch/nevisidm/services/v1_45/AdminService | 10.179.0.98 | 443 | TPC/https |
Please test the connections using IP address and port. As the DNS entries from the networks of the Federal Administration still resolve to the previous IP addresses.
The adaptation of the DNS resolution will only take place with the rollout of the release ‘Hohberghorn’.
Introduction of new (non-standard) claim ‘adminOrganisationUID’ for identities in the enterprise context
For certain applications, it is important to know in which organizational unit the subject accessing the target application is administratively managed in order to make decisions within the application. The "Central Identity Store" (CIS) provides the "adminOrganizationUID" attribute. This is a stable identifier that remains unchanged even if an organizational unit is renamed. For example, the Federal Office of Information Technology and Telecommunications (FOITT) has the adminOrganizationUID=uid-a877466-2f59451-18e5b407ab7–78d0. The new "adminOrganizationUID" attribute can be included in the token sent to the application at the request of the eIAM customer. It is a non-standard attribute, meaning that this additional attribute must be specifically requested by the customer during the integration of their application or as an extension of an existing integration. The attribute is only available if the identity in question is an enterprise identity managed in the CIS.Support for testing with eIAM – Canary testing
eIAM uses a modern continuous integration/continuous deployment infrastructure. This enables a canary deployment of the eIAM components. This means that two release versions can run in parallel. By default, all user requests are forwarded to the ‘active’ version so that normal operations are not affected. The prerequisite for those responsible for testing to be able to test innovations and/or bug fixes on the canary deployment is that these users set an appropriate canary cookie before logging in.On the page the «Canary Cookies» can be set individually for the different operating environments (REF/ABN/PROD) in the browser currently in use. The cookies can be deactivated again and/or completely deleted using the functions offered.
Further explanations on how to use the ‘Canary Cookie’ can be found on our help page:
Testing in Canary mode
Support for testing with eIAM - prevent autologon
Within the Federal Network (even with a VPN connection), the user is usually automatically logged in to the FED-LOGIN identity provider when logging in via eIAM. This contains the standard identities for Federal Administration employees who are in the Federal Network. This is very convenient for users. However, it can be a hindrance in certain cases (e.g. during testing). The autologon cookie can be used to override this autologon mechanism so that, on the one hand, the selection of the identity providers available for the application is displayed and, on the other hand, the login on the FED-LOGIN IdP is not automatically carried out with Kerberos (Active Directory Single-Sign On). The autologon cookie can be set individually for each operating environment/stage of eIAM (REF/ABN/PROD).On the page the «Autologon Cookies» can be set individually in the currently used browser for the different operating environments (REF/ABN/PROD). The cookies can be deactivated again and/or completely deleted using the functions offered.
Further information on how to use the ‘Autologon Cookie’ can be found on our help page:
Testing without Autologon
The provisioning of eIAM in the Campus Data Center in Frauenfeld
The provisioning of eIAM in the Campus Data Center can be completed for the core components of eIAM (Core) with the "Hohberghorn" release. The core of eIAM includes all the generically used components of eIAM, such as the Identity Providers (IdP) (CH-LOGIN, FED-LOGIN, IdP-Base), the Bundes-Trust-Broker (BTB), and the IDM services where identities and permissions are managed.This ensures that, in the event of a disaster (failure of the Primus Data Center in Bern), eIAM will be able to deliver its services from the Campus Data Center in Frauenfeld for applications that are either also operated in Frauenfeld or outside of FOITT.
In the upcoming phase, the RP-PEP components will be deployed in the Campus Data Center.