2020-05-14 23:29:41 +02:00
|
|
|
ContextSwitching plugin
|
|
|
|
=======================
|
|
|
|
|
|
|
|
This plugin allows certain users to switch context other user. This may
|
|
|
|
be useful when providing assistance or when testing privileges. Enter
|
|
|
|
the uid of the user you'd like to switch context to.
|
|
|
|
|
|
|
|
Configuration
|
|
|
|
-------------
|
|
|
|
|
|
|
|
Just enable it in the Manager (section “plugins”) by setting a rule.
|
|
|
|
ContextSwitching can be allowed or denied for specific users.
|
|
|
|
Furthermore, specific identities like administrators or anonymous users
|
|
|
|
can be forbidden to assume.
|
|
|
|
|
|
|
|
- **Parameters**:
|
|
|
|
|
2020-10-03 11:53:18 +02:00
|
|
|
- **Use rule**: Rule to enable or define which users may use this plugin
|
|
|
|
(By example: $uid eq 'dwho' && $authenticationLevel > 2).
|
2020-05-14 23:29:41 +02:00
|
|
|
- **Identities use rule**: Rule to define which identities can be
|
|
|
|
assumed. Useful to prevent impersonation of certain sensitive
|
|
|
|
identities like CEO, administrators or anonymous/protected users.
|
2020-05-20 22:48:54 +02:00
|
|
|
- **Unrestricted users rule**: Rule to define which users can switch
|
|
|
|
context of ALL users. ``Identities use rule`` is bypassed.
|
2020-10-12 19:43:34 +02:00
|
|
|
- **Allow 2FA modifications**: This option must be enabled to append,
|
|
|
|
verify or delete a second factor during context switching.
|
2020-05-14 23:29:41 +02:00
|
|
|
- **Stop by logout**: Stop context switching by sending a logout
|
|
|
|
request.
|
|
|
|
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. danger::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
During context switching authentication process, all
|
|
|
|
plugins are disabled. In other words, all entry points like afterData,
|
|
|
|
endAuth and so on are skipped. Therefore, second factors or
|
2020-10-03 11:53:18 +02:00
|
|
|
notifications by example will not be prompted and login history is not updated!
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. attention::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
ContextSwitching plugin works only with a userDB
|
|
|
|
backend. You can not switch context with federated authentication.
|
|
|
|
|
|
|
|
|
2020-10-03 11:53:18 +02:00
|
|
|
.. attention::
|
|
|
|
|
|
|
|
Used identity, start and end of switching context process are logged!
|
|
|
|
|
|
|
|
|
2020-05-14 23:29:41 +02:00
|
|
|
contextSwitchingPrefix is used to store real user's session Id. You can
|
|
|
|
set this prefix ('switching' by default) by editing ``lemonldap-ng.ini``
|
|
|
|
in [portal] section:
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. code-block:: ini
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
[portal]
|
|
|
|
contextSwitchingPrefix = switching
|
|
|
|
|