You could implement impersonation in Gluu. Personally, I would implement it as a multi-step authentication that requires a FIDO security key. In step one, I'd ask for the admin username / password. In step 2, I'd check to make sure that user is an admin, and then I'd ask for the FIDO key. In step 3, I'd enable the admin to select the user to be impersonated. In step 3 of the Gluu Server person authentication interception script, you would then load the user profile for the target person instead of the person authenticated.
If you wanted to use the `act` claim you could add this to the OAuth access_token in the token introspection interception script. We don't support it out-of-the-box, but if you need it, you can add it as a custom claim at runtime based on the context.
Net-net, you can accomplish all this, but it will require some decent knowledge of the custom interception script programming works in the Gluu Server.
If you might be interested to procure a VIP support contract, you can [schedule a call to discuss](https://gluu.org/booking).