How to get logged 'as another user' with OpenAM ?

This topic has 9 replies, 4 voices, and was last updated 7 years, 2 months ago by Manchanda, P.

  • Author
    Posts
  • #4538
     rsaintobert
    Participant

    Hi,

    I am currently analyzing OpenAM as sa solution to replace our custom authentication and authorization system.

    However I have a specific scenario I don’t how to implement with it.

    I am working on an application with basically 2 kinds of users : master and novice users.
    In order to help a novice user, a master one (user1) already logged on the application should be able to “act” as if he were a target user (user2). Of course user1 cannot log on the application with user2’s credentials.
    In this scenario user1 must still be identifiable, I mean the operations on the application should know that user1 is acting as user2 for audit purpose.

    OpenAM does not seem to propose this kind of functionnality out of the box.
    Basically the least I need is to request a policy decision for user2 with user1 connected with a valid token, but the REST API does not seem to eanble this too.

    Any idea ?

    #4542
     nikhil.abhiman
    Participant

    Hi,

    If I am not wrong, can you pls check page 43 in OpenAM Dev Guide.
    I think you will find the answer, closely matches to what you are asking,
    Even I am exploring OpenAM, not sure how REST API reacts
    Meanwhile, you can also scan through section 4.2 – Requesting Policy Decisions

    Thanks,
    Nikhil.

    #4543
     rsaintobert
    Participant

    Hi Nikhil,

    Actually I have already get through the section 4.2 Requesting Policy Decisions of the Dev Guide, but I don’t know how to specify a subject different from the currently logged one, as the subject field requires an SSO token.
    The only SSO token I have is for the currenty logged user (master user user1) thus I would get a decision for user1 while I need a decision for user2.
    Another solution whould be to previously get a valid SSO token for the target user (user2) before calling this method but it does not seem to be possible.

    Thanks for your reply anyway and please correct me if I am wrong.

    Remy

    #4555
     Manchanda, P
    Participant

    Thanks for starting this topic as I have a similar use case.

    @rsaintobert

    Another solution whould be to previously get a valid SSO token for the target user (user2) before calling this method but it does not seem to be possible.

    What I understand is that master user1 will not be having access to credentials of novice user2. To get a valid SSO Token, user2 will have to be authenticated. This would require credentials for user2 to be available. How do you plan to handle this.

    Thanks and Regards
    P Manchanda

    #4556
     rsaintobert
    Participant

    Hi,

    You’re right master user1 do not have access to the credentials of user2.
    Actually I would have imagined that I can retrieve an authentication token for another user (user2) by providing a valid SSO Token (user1), authorized to perform this kind of action.
    It could have been implemented in the STS service for instance.

    But unfortunaltely it’s not the case and I am still stuck with this problem…

    Remy

    #4573
     Manchanda, P
    Participant

    Any update/progress on this.

    #4813
     Peter Major
    Moderator

    The easiest way to implement user impersonation is to write a custom authentication module. The module would need to authenticate the “master” user, and then would need to request the “novice” user’s ID. The module then would return “novice” as authenticated user ID, and as such the “master” would be able to act on “novice”‘s behalf.
    I don’t really see how it would be possible to use an existing session to impersonate someone else.

    #4833
     rsaintobert
    Participant

    Hi Peter,

    I hoped impersonation was available out of the box but it’s fine for me to write a custom module.
    Many thanks for your reply !

    Rémy

    #4834
     Manchanda, P
    Participant

    There is an open Jira Issue for the same.

    Is there any plan to address this.

    Thanks and Regards
    P Manchanda

    #4835
     Manchanda, P
    Participant

    OpenDJ Provides ‘proxied authorization control’ as outlined here. Is it possible to leverage this feature through OpenAM.

    Thanks and Regards
    P Manchanda

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?