I have a requirement to change a login/elevate a login (eg. operator) on a perspective session to another login (eg. supervisor) on a single button click and then de-elevate the account (i.e. revert back to operator user) on another click -without session logout and login page.
Is that possible? or is there an alternate solution someone has tried before?
Referring to the user manual, I used the Auth Challenge in the button click event to request the IdP to log me in as a Supervisor. I have configured the payload with the following details:
doing so did bring up the embedded popup frame to login as shown below.
Further, I have configured an "Authentication Challenge Completed" session event script to log me in as a Supervisor, but it seems it does not work. Appreciate if anyone can have a look and let me know what is missing. attached is the script below:
def onAuthChallengeCompleted(session, payload, result):
if result.isSuccess():
success = True
context = result.getAsSuccess().getContext()
user = context.user
roles = user.roles
#if roles in ('PGP Supervisor', 'PGP_Super') or !userLoggedIn:
#if user.get("user") == "PGP_Super" or !userLoggedIn:
# return containsAll ({idp-attributes:amr}, 'uname', 'pwd')
if "PGP_Supervisor" in roles:
# return containsAll ({idp-attributes:amr}, 'user', 'pwd')
return system.perspective.login()
system.security.validateUser(username='PGP_Super', password='Pgp super 123', authProfile= 'default')
You don't use the Auth Challenge to actually log you in. You use it to set some kind of time-limited session variable, or just record the information, so that the view's own logic can permit the intended operation.
Thanks for getting back, really appreciate. What I am trying to understand is that I want to elevate the current user (i.e) operator to a supervisor without logging off the current operator user. I believe after reading the manual, auth challenge can allow that functionality in a time limited session:
Regardless, I am after a solution which will allow me to do so. But it seems the auth challenge embedded frame login popup page configured in the button event does not elevate my login to time based supervisor user even though it seems to have accepted the login (screenshot in my previous reply), as it does not allow my logic to be executed which is only allowed for a supervisor permission, also there seems to be no indication for an error.
Not sure if I am missing anything, I have actually configured my button in two parts (auth challenge and auth challenge completed session script), maybe I don’t need both config, as I want to only evelate my login temporarily on the session and not execute any session script during the elevated login.
By design. It simply does not do what you are after. There is nothing that does what you are after. The auth challenge provides the scaffolding for you to construct the logic you need, building on top of the currently logged user's permissions.
Are you wanting to essentially switch users similar to Vision where it has a popup that allows the new user to login, then once authenticated, the session switches to the new user rather than having to log off and back on?
I don't know of any way to do this in Perspective, but it would be nice. The Auth Challenge offers a way to show an embedded iFrame to authorize a user, but Perspective doesn't allow you to just popup a window to do the actual login. But to switch users, you can select/Enable "Ask the IdP to re-authenticate users" which will force the user to enter credentials even if a user is logged in and the session will switch to that new user.