Superuser / login as

By: Dieter Rothacker user 13 May 2016 at 10:46 a.m. CDT

4 Responses
Dieter Rothacker gravatar
This is basically a follow-up to https://support.gluu.org/customization/superuser-login-as-2699 To prevent that multiple SPs have to implement a super-user switching (and give SSO functionality), what would be the best way to do it on the IDP-side? example: special form for login - https://<idp>/oxauth/loginsu admin user can login here and can then select a directory user object that he wants to "impersonate" - he then has a session as that user without having to know his password (so that he now has SSO functionality as that user in all SPs). Is there an easy way to do this inside gluu or would it be better to write a custom application that fetches userdata from ldap and then generates a fake "valid credential" request to gluu?
closed

Answers

By Mohib Zico staff 13 May 2016 at 11:02 a.m. CDT

Copy
Mohib Zico gravatar
I can't understand your target, Dieter....

By Dieter Rothacker user 13 May 2016 at 11:10 a.m. CDT

Copy
Dieter Rothacker gravatar
:-) OK, so one use-case would be: - new user gets created (e.g. self-registration) and keeps his password secret - he gets assigned some permissions for different SPs - he complains that something is not working in one of the SPs How can we test his SSO-experience and if the permissions are correct? I don't know the pw, so I cannot login as him. => I would like to be able to impersonate his user and have the same permissions/rights he has.

By Mohib Zico staff 13 May 2016 at 11:20 a.m. CDT

Copy
Mohib Zico gravatar
>> I would like to be able to impersonate his user and have the same permissions/rights he has. Not possible in current setup of Gluu Server. I would say check logs with that user's uid and any error related to that SP/RP. :-) IMO, even admin/superadmin/super user should not get the pass for any user.

By Michael Schwartz Account Admin 13 May 2016 at 11:40 a.m. CDT

Copy
Michael Schwartz gravatar
Agreed. Impersonation is not supported. And if this were possible, it would break the security model--how would you know any person was really who they said they were. The best thing you can do is to check the user's entry in the oxTrust GUI, and perhaps even in LDAP, and compare versus another user to see if there are any sigificant differences in the data. Normally that can lead to a few theories about differences.

Post an answer