Impersonate a Role in Identity Panel

Requires Identity Panel v7.1 or higher.

In version 7 of the Identity Panel suite, users in the built-in Admin role can impersonate any defined role except Writer. This feature is useful in defining and testing a granular access model for the different platform user groups/roles.

This new option can be found in the security settings.

1. Go to Security

2. Expand a Role that you want to Impersonate

3. Click "Impersonate in Identity Panel" or "Impersonate in Service Panel" to start the login process with an impersonated role.

4. Once the validations are complete, log out.

5. Log into Identity Panel again to return to admin permissions.

How does it work?

A new URL endpoint has been introduced called "/account/impersonate/<Role to be impersonated>".  

If an already logged-in user with Admin role accesses this URL, they will be logged off and redirected via a re-login URL back to "/account/impersonate/<Role to be impersonated>".

If a logged-out user with Admin role access goes to the URL, they will be logged in with a login redirect URL of "/account/impersonate/<Role to be Impersonated>".

Note: if a logged-in user who is NOT a part of the admin role goes to this URL, they will be redirected to the home page.

On login, if a user has the built-in admin role's group claim and the redirect URL matches "account/impersonate/<Role to be impersonated>", it removes the admin role's group claim from the Identity and adds the group claim of the target role to the Identity to complete the login process.

This allows the step-by-step redirect sequence of:

1. Link to impersonate URL
2. Logout
3. Login (seeing that impersonation is requested and adjusting roles)
4. Back to impersonate URL
5. Redirect to home

Notes:

This feature can only be used by the built-in Admin Role.

It can be used to impersonate any role except the Writer.

It only works with OIDC or SAML authentication. AD-integrated authentication does not allow role override.