Applicable Versions: SecureAuth IdP 7.0+
Description: Client's helpdesk personnel needs to perform functions and access profiles on behalf of the user through SecureAuth IdP beyond what the Account Management (Help Desk) page provides.
Background: While the previously-published realm-chaining article (of which familiarity is required to be able to use this article effectively) works by forwarding the user to another realm once they have successfully completed authentication on the current realm, that configuration only allows that user to access their own profile. The configuration we need to perform is very similar to the steps we have outlined in the aforementioned article, save for a few configuration changes.
The steps below delineate a workflow where user is going through the standard authentication workflow that comes with SecureAuth IdP.
First Realm - SecureAuth1:
In the Workflow tab, set the following:
Public/Private Mode: Public and Private Mode
Authentication Mode: Standard (User /2nd Factor / Password)
Second Realm - SecureAuth2:
1. In the Workflow tab, set the following:
Public/Private Mode: Public Mode Only
Authentication Mode: UserName Only
2. Navigate to the Custom Front End section of the Workflow tab and make the following:
Receive Token: Send Token Only
This configuration essentially:
- protects SecureAuth2 by redirecting the user to SecureAuth1 if they haven't authenticated properly
- allows user, once authenticated through SecureAuth1, to access another user's profile simply by typing in the user's username in the login page of SecureAuth2.
Note: Additional protection is recommended to be implemented by enabling group restriction on SecureAuth1 so only members of a certain group (in this case, only members of the Helpdesk group) can perform this function.