eIAM Support

Tile eIAM Support
eIAM Support

Support

Instructions for self-help

We have created various self-help instructions for end users. You can find these under the following links, separated by login method.
Instructions for the CH-LOGIN
Instructions for the FED-LOGIN

Links to all instructions
×

CH-LOGIN

Account management

Two-factor authentication management

Management of external identities (BYOI)

Further instructions

FED-LOGIN

AGOV help

Important: Please do not create your own instructions for CH-LOGIN and FED-LOGIN - you are welcome to refer to the multilingual help pages we have created. This will save you effort and your documents will always be up to date with the eIAM.

Support Forms

The principle of self-help applies to both CH-LOGIN and FED-LOGIN. The end users should always first try to solve their difficulties on their own via self-help. If this is not successful, we have created the following forms for the corresponding support requests regarding a login problem, an account mutation or reset.

Managed Techuser Forms

eIAM offers the use and setup of "Managed Techusers". The Techusers are provided and managed by the eIAM Operations team according to the customer's order specifications.

The following three techuser categories are available:

1. Techusers to use the APIs provided by eIAM ▼
×

This category of tech users is mainly used in automatic user management. eIAM offers 2 APIs for this purpose a SOAP interface for direct access to the user management in NevisIDM (see details on eIAM-AMW), as well as a REST interface via which the functionalities of the delegated management can be used as a service (see details on eIAM-RDM).

Please note the following necessary preparations before ordering:

  • For accounts with a soft certificate, authentication is done by means of an X.509 certificate of class C (classes D and E are not supported).
    • The certificate must first be procured by you as the customer, in accordance with the specifications of the Admin PKI, via a Remedy MAC (enter order by order type, search for "certificates class C", -> order certificate).
    • The certificate is in the name of the technical user who is used to establish the connection.
    • The certificate must contain at least the following key usages:
      • X509v3 Key Usage: Digital Signature
      • X509v3 Extended Key Usage: TLS Web Client Authentication
    • The public key must be included in the order as a PEM file.
  • The CISO of the office (see list of CISO) must approve the use of the Techuser via mail.
  • For the lifecycle management of the "Managed Techuser", a responsible, central office must be defined (not a dedicated person), which knows the technical contexts and can carry out certificate exchanges, e.g. an application management team.
Order form for setting up a Techuser for eIAM-AMW
Order form for setting up a Techuser for eIAM-RDM

2. Techuser for the use of Web Service Gateway ▼
×

This category of tech user is primarily used in SOAP-based server (consumer) to server (provider) communication via a web service gateway. eIAM offers the eIAM Web Service Gateway (eIAM-WSG) for authentication. Details on this service can be found at eIAM-WSG.

Please note the following necessary preparations before ordering:

  • The accounts used must be ordered in advance from ICD - CIS & Directories via Remedy. The team creates an account in the data reference point, which is provisioned to eIAM and is subject to a regulated lifecycle. The following naming conventions apply:
    • SN= SVC-<stage>-<department>-<office>-<APPL>
      • Stage: DEV, TST, REF, ABN, PRD
      • Department: FDHA, FDFA, FDF, FDJP, EAER, DETEC, DDPS
      • Office (abbreviation): e.g. FOITT, FSO, etc.
      • Appl (abbreviation): e.g. IDM, LVS, AWISA
    • givenName = TU
    • displayName analogue SN
  • Accounts with a soft certificate are authenticated using an X.509 certificate of class C (classes D and E are not supported).
    • The certificate must be procured in advance by you as the customer, in accordance with the Admin PKI specifications, via a Remedy MAC (enter order by order type, search for "Class C certificates", -> order certificate).
    • The certificate is in the name of the technical user who is used to establish the connection.
    • The certificate must contain at least the following key usages:
      • X509v3 Key Usage: Digital Signature
      • X509v3 Extended Key Usage: TLS Web Client Authentication
    • In the order, the public key must be supplied as a PEM file.
  • The CISO of the office (see list of CISO ) must authorise the use of the tech user via e-mail.
  • For the lifecycle management of the "Managed Techuser", a responsible, central office must be defined (not a dedicated person), which knows the technical context and can carry out certificate exchanges, e.g. an application management team.

Order form for setting up a techuser for eIAM-WSG

3. Techuser for interactive use (as user) of eIAM as services via Web-UI ▼
×

This category is used in automated testing, monitoring and data processing. eIAM offers 4 account types of managed "techusers" for the interactive use of eIAM service via web UI, especially for the login to office applications:

  1. CH-LOGIN with fixed mTAN and ReCaptcha Whitelisting
    suitable for applications with QoA30 and lower.
  2. Accounts with soft certificate class C for authentication via FED-LOGIN by means of certificate suitable by default for Appl with QoA30 and lower.
  3. Account from Active Directory (AD) with Trust AD Resource Forrest ADR.ADMIN.CH, e.g. F-Account for authentication via FED-LOGIN over Kerberos suitable for Appl with QoA40 and lower.
  4. T-Account (personal test identity with dedicated SG-PKI smartcard and AD reference) for authentication via FED-LOGIN (smartcard or AD authentication via Kerberos) suitable for applications with QoA60 and lower.
See information on QoA concept

Please note the following necessary preparations before ordering:

  • The following accounts must already exist;
    • CH-LOGIN must be created by the orderer in advance (see instructions CH-LOGIN - Registration). Important: SMS (mTan) as a second factor must also be set up in advance, otherwise no fixed mTan can be stored.
    • F-Account must be ordered via Remedy MAC (Link Remedy).
    • T-Account must be ordered via Remedy MAC (Link Remedy).
  • The accounts with a soft certificate must be procured by you as the customer, in accordance with the specifications of the Admin PKI, via a Remedy MAC (enter order by order type, search for "certificates class C", -> order certificate).
    • The certificate must be an X.509 class C certificate.
    • The certificate is in the name of the technical user used to establish the connection.
    • The certificate must contain at least the following key usages:
      • X509v3 Key Usage: Digital Signature
    • The public key must be included in the order as a PEM file.
  • The CISO of the office (see list of CISO) must approve the use of the techuser via mail.
  • For the lifecycle management of the "Managed Techuser", a responsible central office must be defined (not a dedicated person), which knows the technical interrelationships and can carry out certificate exchanges, e.g. an application management team. The exception here are T-accounts, which are personal.
Important
Please note that eIAM Operations only ensures that the tech users including the identity reference (account in the client's access client) are correctly created. It's the responsibility of the GKA/BVA to grant these Techuser accounts the necessary permissions in the Access Client for the intended use.

Order form for setting up a Techuser CH-LOGIN with fixed mTAN
Order form for setting up a Techuser account with soft certificate
Order form for setting up a Techuser account with AD-Trust (e.g. F-Account)
Order form for setting up a Techuser T-account