Hello all,

Greetings! I am looking at current InfoMap capabilities and exploring the possible ways of implementing a switch user functionality through it.

One way of doing it is to do it manually by setting the session/credential attributes. However, as per current thoughts in mind this may or may not be a good approach as it involves manual replacement of all attributes of current credential. Also, the original session might get lost.

Looking for comments and feedback on the above approach and also on what other better options are available for the said.

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Jahanzaib,

If you want to implement some kind of "switch user" function in InfoMap, I can't think of any way to do it other than what you have described.  Basically you're creating a new credential for the session which has the username/groups/attributes of the "switch target".

A few thoughts:

When you do switch user in the Reverse Proxy it populates a credential attribute with the userID of the original user (for auditing).  I don't remember the name of that attribute but might be worth emulating this in your function.

You'll have to disable the setting in Reverse Proxy that prevents a new EAI login from using a different userID to the current user in the session.

To facilitate the "switch back", you'll probably need to save all of the information about the "switch initiator" user in session or DMAP cache so that you can re-instate it when the switch session is ended (I assume by triggering a different infoMap).

One final thing to be careful about when doing a switch user within a session is how target applications will pick up the change of user.  Most applications only read the SSO headers etc. on first access (and then set their own sessions) and so they won't pick up the switched user just because the Verify Access session changes.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Sat March 06, 2021 06:09 AM
From: Jahanzaib Sarwar
Subject: ISVA: Implementing Switch User in InfoMap

Hello all,

Greetings! I am looking at current InfoMap capabilities and exploring the possible ways of implementing a switch user functionality through it.

One way of doing it is to do it manually by setting the session/credential attributes. However, as per current thoughts in mind this may or may not be a good approach as it involves manual replacement of all attributes of current credential. Also, the original session might get lost.

Looking for comments and feedback on the above approach and also on what other better options are available for the said.

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------